CVE-2022-0234

Name of the Vulnerable Software and Affected Versions WOOCS WordPress plugin versions prior to 1.3.7.5

Description The issue concerns a Reflected Cross-Site Scripting problem. It arises because the woocs in order currency parameter of the /wp-admin/admin-ajax.php AJAX action woocs get products price html is not properly sanitized and escaped before being output in the response. This endpoint is accessible to both unauthenticated and authenticated users.

Recommendations For versions prior to 1.3.7.5, update to version 1.3.7.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the woocs get products price html AJAX action until the update is applied. Avoid using the woocs in order currency parameter in the affected AJAX endpoint until the issue is resolved.