CVE-2024-37297

Name of the Vulnerable Software and Affected Versions WooCommerce versions 8.8 through 8.8.4 WooCommerce versions 8.9 through 8.9.2

Description A cross-site scripting vulnerability in WooCommerce allows a bad actor to manipulate a link to include malicious HTML and JavaScript content. The injected JavaScript could hijack content and data stored in the browser, including the session. The URL content is read through the Sourcebuster.js library and then inserted without proper sanitization to the classic checkout and registration forms.

Recommendations For versions 8.8 through 8.8.4, update to version 8.8.5 or later. For versions 8.9 through 8.9.2, update to version 8.9.3 or later. As a temporary workaround, consider disabling the Order Attribution feature to minimize the risk of exploitation.