CVE-2021-24938

Name of the Vulnerable Software and Affected Versions: WOOCS WordPress plugin versions prior to 1.3.7.1

Description: The issue arises from the lack of sanitization and escaping of the key parameter in the woocs update profiles data AJAX action, which is accessible to any authenticated user. This leads to a Reflected cross-Site Scripting issue, where the unsanitized input is outputted back in the response.

Recommendations: For versions prior to 1.3.7.1, update to version 1.3.7.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the woocs update profiles data AJAX action to minimize the risk of exploitation. Avoid using the key parameter in the affected AJAX endpoint until the issue is resolved.