The Cross Site Scripting (XSS) vulnerability in the WordPress Email Template

  • Resolved zorrofes

    (@zorrofes)


    1 month, 1 week ago

    Dear Support,

    I have always this message from my Plugin Security:
    The Cross Site Scripting (XSS) vulnerability in the WordPress Email Template Customizer for WooCommerce plugin

    I like juste to know if it’s correct or you will update the Plugin.

    Thank you & Best regards.

Viewing 12 replies - 1 through 12 (of 12 total)
  • Plugin Support angelagrey

    (@angelagrey)

    Hi,

    Thank you for reaching out to us.

    I’m quite confused as the plugin name isn’t not our plugin. Could you check again which email plugin you’re using?

    Best regards.

    Thread Starter zorrofes

    (@zorrofes)

    Hi @angelagrey,

    Thank you for your support. I have only Contact form7 and your Plugin ”Email Template”.
    This is the ERROR:

    Published: 2024-10-17 Updated: 2024-10-17
    Title: WordPress Email Template Customizer for WooCommerce plugin <= 1.2.5 – Cross Site Scripting (XSS) vulnerability.

    I have 1.2.6 not 1.2.5.

    You can see this link for more infos: CVE-2024-49288.

    Thank you.


    Plugin Support angelagrey

    (@angelagrey)

    I see. Thank you. We didn’t receive any report regarding this issue since then so I don’t know about this (I checked all the mail folders thoroughly). Our team will review and update our plugin at the earliest if there’s any.

    Just to clarify, our plugin works on the back end only, which means the users who access your site must at least have manage_woocommerce permission to reach the email setting page.

    • This reply was modified 1 month ago by angelagrey.
    Five5star

    (@five5star)

    Hello

    for a few days, i am having the same vulnerability detected by Solid Security thru Patchstack with your plugin :

    Cross Site Scripting (XSS) vulnerability discovered by Savphill (Patchstack Alliance) in WordPress Plugin Email Template Customizer for WooCommerce (versions <= 1.2.6)

    https://patchstack.com/database/vulnerability/email-template-customizer-for-woo/wordpress-email-template-customizer-for-woocommerce-plugin-1-2-5-cross-site-scripting-xss-vulnerability?_a_id=431

    do you plan to fix this soon?

    Plugin Support angelagrey

    (@angelagrey)

    Yes, we’ll review our code and update if any as soon as possible.

    thank you

    i ll wait for the update

    Thread Starter zorrofes

    (@zorrofes)

    Good luck & Thank you.

    Vulnerability issue showing any update team

    Plugin Support angelagrey

    (@angelagrey)

    We’re currently reviewing the issue and will update our plugin shortly.

    Ciao, so che riguarda solo per ad utendi che hanno accesso amministrativo. Ma se riuscirai ha risolverlo sarebbe fantastico, in quanto scomparirebbe nel mio sito la brutta notifica dei miei antivurus sul tuo plugin. Ti inserisco qualcosa che potrebbe autarti.

    Il plugin Email Template Customizer for WooCommerce per WordPress è vulnerabile a Stored Cross-Site Scripting tramite impostazioni di amministrazione in tutte le versioni fino alla 1.2.7 inclusa, a causa di una sanificazione insufficiente degli input e di un escape degli output. Ciò consente agli aggressori autenticati, con autorizzazioni di livello shop manager e superiori, di iniettare script Web arbitrari nelle pagine che verranno eseguite ogni volta che un utente accede a una pagina iniettata. Ciò riguarda solo le installazioni multi-sito e le installazioni in cui unfiltered_html è stato disabilitato.

    https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

    Plugin Support angelagrey

    (@angelagrey)

    We just contacted patchstack team and is working on it. We’ll update soon.

    Thread Starter zorrofes

    (@zorrofes)

    Hi,

    Problem solved after update.

    Thanks.

Viewing 12 replies - 1 through 12 (of 12 total)
  • You must be logged in to reply to this topic.