CVE-2024-8541

Name of the Vulnerable Software and Affected Versions: The Discount Rules for WooCommerce – Create Smart WooCommerce Coupons & Discounts, Bulk Discount, BOGO Coupons plugin for WordPress versions up to, and including, 2.6.5

Description: The issue is related to Reflected Cross-Site Scripting due to the use of add query arg without appropriate escaping on the URL. This allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a site administrator into performing an action such as clicking on a link. The exploitation is only possible when the 'Leave a Review' notice is present, which occurs after 100 orders are made and disappears after a user dismisses the notice.

Recommendations: For versions up to, and including, 2.6.5, update to a version later than 2.6.5 to resolve the issue. As a temporary workaround, consider restricting access to the plugin's functionality until a patch is available, especially when the 'Leave a Review' notice is present. Additionally, avoid clicking on suspicious links, especially when the 'Leave a Review' notice is displayed, to minimize the risk of exploitation.