A critical Cross-Site Scripting (XSS) vulnerability has been identified in the Smart Online Order for Clover plugin. This vulnerability could allow a malicious actor to inject malicious scripts into the website, which could then be executed by visitors to the affected site.
This vulnerability was discovered and reported by thiennv.
The vulnerability is caused by a flaw in the way the Smart Online Order for Clover plugin handles user input. This flaw allows a malicious actor to inject arbitrary code into the website’s output, which can then be executed by visitors to the site.
Severity
The severity of this vulnerability is considered high, given its CVSS 3.1 score of 7.1. This score highlights the substantial risk it poses to the website’s security.
Affected Versions
No patched version is available of the Smart Online Order for Clover plugin.
Impact
If a malicious actor is able to exploit this vulnerability, they could:
- Redirect visitors to malicious websites, where they could be tricked into downloading malware or entering their personal information.
- Inject advertisements into websites, which could generate revenue for the attacker and damage reputation.
- Steal cookies or other sensitive information from visitors, such as login credentials or credit card numbers.
Recommendation
WordPress users who have installed the Smart Online Order for Clover plugin are advised to disable the plugin until a patched version is available.