CVE-2024-1697 Information
Description
The Custom WooCommerce Checkout Fields Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the save_wcfe_options function in all versions up to and including 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with subscriber-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Reference
https://www.wordfence.com/threat-intel/vulnerabilities/id/9a92f44b-6f2b-439c-8245-ace189740425?source=cve https://plugins.trac.wordpress.org/browser/add-fields-to-checkout-page-woocommerce/tags/1.2.9/classes/class-wc-checkout-field-editor.php#L1775 https://plugins.trac.wordpress.org/browser/add-fields-to-checkout-page-woocommerce/tags/1.3.2/classes/class-wc-checkout-field-editor.php#L1788
Share on: