An advisory was issued a few vulnerability within the Buyer Critiques for WooCommerce plugin, which is put in on over 80,000 web sites. The plugin permits unauthenticated attackers to launch a saved cross-site scripting assault.
Buyer Critiques for WooCommerce Vulnerability
The Buyer Critiques for WooCommerce plugin permits customers to ship clients an e-mail reminder to depart a overview and in addition gives different options designed to extend buyer engagement with a model.
Wordfence issued an advisory a few flaw within the plugin that makes it doable for attackers to inject scripts into internet pages that execute each time a consumer visits the affected web page.
The exploit is because of a failure to “sanitize” inputs and “escape” outputs. Sanitizing inputs on this context is a fundamental WordPress safety measure that checks if uploaded knowledge conforms to anticipated sorts and removes harmful content material like scripts. Output escaping is one other safety measure that ensures any particular characters produced by the plugin aren’t executable.
In accordance with the official Wordfence advisory:
“The Buyer Critiques for WooCommerce plugin for WordPress is weak to Saved Cross-Web site Scripting through the ‘creator’ parameter in all variations as much as, and together with, 5.80.2 because of inadequate enter sanitization and output escaping. This makes it doable for unauthenticated attackers to inject arbitrary internet scripts in pages that can execute each time a consumer accesses an injected web page.”
Customers of the plugin are suggested to replace to model 5.81.0 or newer model.
Featured Picture by Shutterstock/Good Eye
