[X] I have carried out troubleshooting steps and I believe I have found a bug.
[X] I have searched for similar bugs in both open and closed issues and cannot find a duplicate.
Describe the bug
The Wordfence security team disclosed a vulnerability to us in which the security team found out that the Product Delivery Date for WooCommerce – Lite plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of _add_query_arg_ without appropriate escaping on the URL in all versions up to, and including, 2.7.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This is only exploitable when notices are present.
Steps to reproduce
Install WooCommerce
Install Product Delivery Date for WooCommerce - lite
This notice is user-specific, so it is more available than a globally dismissed notice.
Additional functionality is present to trigger notices with the same vulnerability, potentially 8-9 times every 15, then 7 days per user.
According to the researcher that discovered this vulnerability, the time is never initialized leading to the immediate availability of the notice on install but the additional later notices in the same file do not trigger.
Thanks to the vulnerability researcher, vgo0, for sharing the proof of concept and steps to recreate this.
Expected behavior
The Wordfence team recommends using one of the built-in WordPress sanitization and/or escaping functions before saving user input data to the database and when displaying it on output.
Prerequisites
Describe the bug
The Wordfence security team disclosed a vulnerability to us in which the security team found out that the Product Delivery Date for WooCommerce – Lite plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of _add_query_arg_ without appropriate escaping on the URL in all versions up to, and including, 2.7.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This is only exploitable when notices are present.
Steps to reproduce
The vulnerable code is in: includes/component/pro-notices-in-lite/ts-pro-notices.php
Line 102 -> 104
This notice is user-specific, so it is more available than a globally dismissed notice.
Additional functionality is present to trigger notices with the same vulnerability, potentially 8-9 times every 15, then 7 days per user.
According to the researcher that discovered this vulnerability, the time is never initialized leading to the immediate availability of the notice on install but the additional later notices in the same file do not trigger.
Public known reference: https://plugins.trac.wordpress.org/browser/product-delivery-date-for-woocommerce-lite/trunk/includes/component/pro-notices-in-lite/ts-pro-notices.php#L102
Thanks to the vulnerability researcher, vgo0, for sharing the proof of concept and steps to recreate this.
Expected behavior
The Wordfence team recommends using one of the built-in WordPress sanitization and/or escaping functions before saving user input data to the database and when displaying it on output.
References on how to go about the sanitization and escaping functions can be found via: https://developer.wordpress.org/apis/security/sanitizing/ & https://developer.wordpress.org/apis/security/escaping/
Isolating the problem
Additional field
Additional details, references, and credits can be found below:
Vulnerability Title: Product Delivery Date for WooCommerce – Lite <= 2.7.3 - Reflected Cross-Site Scripting CVE ID: CVE-2024-9345 CVSS Severity Score: 6.1 (Medium) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Organization: Wordfence Vulnerability Researcher(s): vgo0 Honorable mention: Wordfence security team
https://support.tychesoftwares.com/conversation/4826