CVE-2021-24323

MEDIUM4.8EPSS 0.38%

Woocommerce Cross-site Scripting via Additional tax classes field when taxes are enabled

Published: 5/24/2022Modified: 2/16/2024

Description

When taxes are enabled, the "Additional tax classes" field was not properly sanitised or escaped before being output back in the admin dashboard, allowing high privilege users such as admin to use XSS payloads even when the unfiltered_html is disabled

Affected packages (1)

Packagist/woocommerce/woocommercefrom 0, < 5.2.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.8	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-24323
PATCHhttps://github.com/woocommerce/woocommerce
WEBhttps://github.com/woocommerce/woocommerce/commit/6ede8c5f59aec3ca70aa27d1ffd5a6574473f2ce
WEBhttps://wpscan.com/vulnerability/6d262555-7ae4-4e36-add6-4baa34dc3010