Miggo Logo

CVE-2021-24323: Woocommerce Cross-site Scripting via Additional tax classes field when taxes are enabled

4.8

CVSS Score
3.1

Basic Information

EPSS Score
0.56842%
Published
5/24/2022
Updated
1/19/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
woocommerce/woocommercecomposer< 5.2.05.2.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from unsanitized output of user-controlled tax class names in the admin interface. The patch added esc_html() to $label in class-wc-settings-page.php's output_sections method, proving escaping was missing. Though tax classes were processed in multiple places, the XSS trigger point was specifically in menu rendering where unescaped labels were output. The direct correlation between the vulnerability description and the added escaping in this function confirms its role.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W**n t*x*s *r* *n**l**, t** "***ition*l t*x *l*ss*s" *i*l* w*s not prop*rly s*nitis** or *s**p** ***or* **in* output ***k in t** **min **s**o*r*, *llowin* *i** privil*** us*rs su** *s **min to us* XSS p*ylo**s *v*n w**n t** un*ilt*r**_*tml is *is**l*

Reasoning

T** vuln*r**ility st*mm** *rom uns*nitiz** output o* us*r-*ontroll** t*x *l*ss n*m*s in t** **min int*r****. T** p*t** ***** *s*_*tml() to $l***l in *l*ss-w*-s*ttin*s-p***.p*p's output_s**tions m*t*o*, provin* *s**pin* w*s missin*. T*ou** t*x *l*ss*s