Tomalec

**Name of the Vulnerable Software and Affected Versions** WooCommerce versions 8.8 through 8.8.4 WooCommerce versions 8.9 through 8.9.2 **Description** A cross-site scripting vulnerability in WooCommerce allows a bad actor to manipulate a link to include malicious HTML and JavaScript content. The injected JavaScript could hijack content and data stored in the browser, including the session. The URL content is read through the `Sourcebuster.js` library and then inserted without proper sanitization to the classic checkout and registration forms. **Recommendations** For versions 8.8 through 8.8.4, update to version 8.8.5 or later. For versions 8.9 through 8.9.2, update to version 8.9.3 or later. As a temporary workaround, consider disabling the Order Attribution feature to minimize the risk of exploitation.