A Cross-Site Scripting (XSS) vulnerability has been identified in the WooCommerce PDF Invoice Builder plugin. This vulnerability could allow a malicious actor to inject malicious scripts into your website, which could then be executed by visitors to the affected site.
The vulnerability was discovered and reported by LEE SE HYOUNG (hackintoanetwork).
The vulnerability is caused by a flaw in the way the WooCommerce PDF Invoice Builder plugin handles user input. This flaw allows a malicious actor to inject arbitrary code into the website’s output, which can then be executed by visitors to the site.
Severity
The vulnerability has a CVSS 3.1 score of 7.1, which is considered high severity. This means that the vulnerability is relatively easy to exploit and could have a significant impact on a website.
Affected Versions
The vulnerability affects all versions of the WooCommerce PDF Invoice Builder plugin.
Impact
If a malicious actor is able to exploit this vulnerability, they could inject malicious scripts into the website. These scripts could then be executed by visitors to your site, which could lead to a variety of problems, such as:
- Redirecting visitors to malicious websites.
- Injecting advertisements into your website.
- Stealing cookies or other sensitive information from visitors.
Recommendation
WordPress users who have installed the WooCommerce PDF Invoice Builder plugin are advised to disable the plugin until a patched version is available.
Mitigation Steps
To mitigate the risk of this vulnerability, user can take the following steps:
- Disable the WooCommerce PDF Invoice Builder plugin.
- Scan the website for any signs of malicious code.
- Monitor the website for any unusual activity.
Conclusion
This vulnerability is serious and should be addressed as soon as possible. By following the mitigation steps outlined above, users can protect their website from attack.