Plateforme
wordpress
Composant
woocommerce
Corrigé dans
8.9.3
CVE-2024-35777 describes a Content Spoofing vulnerability within the WooCommerce plugin for WordPress. This 'Injection' flaw allows attackers to manipulate displayed content, potentially deceiving users with misleading information. The vulnerability affects WooCommerce versions 8.9.2 and earlier, and a fix is available in version 8.9.3.
The primary impact of CVE-2024-35777 is the ability for an attacker to inject arbitrary content into WooCommerce-powered websites. This could manifest as manipulated product descriptions, altered pricing information, or even the display of fake promotional banners. While the CVSS score is LOW, the potential for user deception and brand damage is significant. An attacker could leverage this to phish users, promote malicious products, or damage the reputation of the website owner. The attack surface is broad, affecting any WordPress site utilizing WooCommerce.
CVE-2024-35777 was publicly disclosed on July 9, 2024. As of this date, there are no known public proof-of-concept exploits available. The vulnerability is not currently listed on the CISA KEV catalog. Given the LOW CVSS score and lack of public exploits, the probability of active exploitation is considered low, but vigilance is still advised.
WordPress websites utilizing WooCommerce, particularly those running older versions (≤8.9.2), are at risk. Shared hosting environments where website owners have limited control over plugin updates are especially vulnerable. Sites with custom WooCommerce integrations or modifications may also be at increased risk if those customizations haven't been thoroughly reviewed for injection vulnerabilities.
• wordpress / composer / npm:
wp plugin list | grep WooCommerce• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
grep -r "Automattic WooCommerce" /var/www/html/wp-content/plugins/• generic web: Check WooCommerce version displayed on the website footer or product pages.
disclosure
Statut de l'Exploit
EPSS
0.27% (percentile 50%)
CISA SSVC
Vecteur CVSS
The recommended mitigation for CVE-2024-35777 is to immediately upgrade WooCommerce to version 8.9.3 or later. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider implementing strict input validation and output encoding on all user-supplied data displayed within WooCommerce. While not a complete fix, this can reduce the attack surface. Reviewing and hardening the WordPress theme and other plugins is also advisable to minimize potential vulnerabilities. After upgrading, confirm the fix by attempting to inject special characters into product descriptions and verifying that the output is properly sanitized.
Actualice el plugin WooCommerce a la última versión disponible. La versión más reciente incluye una solución para la vulnerabilidad de inyección de contenido. Para actualizar, vaya al panel de administración de WordPress, luego a la sección de 'Plugins' y busque WooCommerce. Si hay una actualización disponible, haga clic en 'Actualizar ahora'.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-35777 is a vulnerability in WooCommerce versions up to 8.9.2 that allows attackers to inject malicious content, potentially misleading users through content spoofing.
If you are using WooCommerce version 8.9.2 or earlier, you are potentially affected by this vulnerability. Check your WooCommerce version immediately.
Upgrade WooCommerce to version 8.9.3 or later to resolve this vulnerability. If immediate upgrade is not possible, implement strict input validation and output encoding.
As of July 9, 2024, there are no known public exploits or confirmed active exploitation campaigns related to CVE-2024-35777.
Refer to the official WooCommerce security advisory for details: [https://woocommerce.com/security/](https://woocommerce.com/security/)
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.