Platform
wordpress
Component
woocommerce
Fixed in
8.9.3
CVE-2024-35777 describes a Content Spoofing vulnerability within the WooCommerce plugin for WordPress. This 'Injection' flaw allows attackers to manipulate displayed content, potentially deceiving users with misleading information. The vulnerability affects WooCommerce versions 8.9.2 and earlier, and a fix is available in version 8.9.3.
The primary impact of CVE-2024-35777 is the ability for an attacker to inject arbitrary content into WooCommerce-powered websites. This could manifest as manipulated product descriptions, altered pricing information, or even the display of fake promotional banners. While the CVSS score is LOW, the potential for user deception and brand damage is significant. An attacker could leverage this to phish users, promote malicious products, or damage the reputation of the website owner. The attack surface is broad, affecting any WordPress site utilizing WooCommerce.
CVE-2024-35777 was publicly disclosed on July 9, 2024. As of this date, there are no known public proof-of-concept exploits available. The vulnerability is not currently listed on the CISA KEV catalog. Given the LOW CVSS score and lack of public exploits, the probability of active exploitation is considered low, but vigilance is still advised.
Exploit Status
EPSS
0.27% (50% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2024-35777 is to immediately upgrade WooCommerce to version 8.9.3 or later. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider implementing strict input validation and output encoding on all user-supplied data displayed within WooCommerce. While not a complete fix, this can reduce the attack surface. Reviewing and hardening the WordPress theme and other plugins is also advisable to minimize potential vulnerabilities. After upgrading, confirm the fix by attempting to inject special characters into product descriptions and verifying that the output is properly sanitized.
Update the WooCommerce plugin to the latest available version. The most recent version includes a fix for the content injection vulnerability. To update, go to the WordPress admin dashboard, then to the 'Plugins' section and look for WooCommerce. If an update is available, click 'Update now'.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-35777 is a vulnerability in WooCommerce versions up to 8.9.2 that allows attackers to inject malicious content, potentially misleading users through content spoofing.
If you are using WooCommerce version 8.9.2 or earlier, you are potentially affected by this vulnerability. Check your WooCommerce version immediately.
Upgrade WooCommerce to version 8.9.3 or later to resolve this vulnerability. If immediate upgrade is not possible, implement strict input validation and output encoding.
As of July 9, 2024, there are no known public exploits or confirmed active exploitation campaigns related to CVE-2024-35777.
Refer to the official WooCommerce security advisory for details: [https://woocommerce.com/security/](https://woocommerce.com/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.