CVE-2021-24323: Woocommerce Cross-site Scripting via Additional tax classes field when taxes are enabled
4.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.56842%
CWE
Published
5/24/2022
Updated
1/19/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
woocommerce/woocommerce | composer | < 5.2.0 | 5.2.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from unsanitized output of user-controlled tax class names in the admin interface. The patch added esc_html() to $label in class-wc-settings-page.php's output_sections method, proving escaping was missing. Though tax classes were processed in multiple places, the XSS trigger point was specifically in menu rendering where unescaped labels were output. The direct correlation between the vulnerability description and the added escaping in this function confirms its role.