Sitelock smart scan shows XSS vulnerabilty on woo commerce product pages

So these pages are only available for products with variations. Is there any setting to prevent the pages from being accessed with the variables in the url?

Hi there,

I understand you need help with a recently discovered a Cross-Site Scripting (XSS) vulnerability in WooCommerce.

To get you started, I recommend updating to the most recent version of WooCommerce (3.5.6) as a patch was released. This XSS vulnerability affects WooCommerce versions prior to 3.5.4.

I did update and still see those pages showing up in a site lock scan, even google analytics finds those pages.

I’m Monique Becenti, a Product Marketing Specialist at SiteLock. Following the Plugin Support rep’s advice to update the plugin should stop the XSS alert from going off for WooCommerce.

If you’re worried about how the update will affect the functionality of your site make sure you do a backup before updating. There are a few options to fix the XSS vulnerability if you don’t want to update the plugin for any reason, but routinely backing up your site and updating everything associated with it is best practice.

We also looked into your scan results, it looks like the XSS scan has not completed for the day. Our team has initiated a new scan, please give it 24 hours and give us a call at 1-855-378-6200 if the issue still persists.

Were you able to check your most recent scan results? If you are still having issues, please feel free to reach out. We are here and happy to help.

I had updated to 3.5.6 and before I created this post, Sitelock still showed the XSS vulnerability. Seems to me unless woocommerce has bad coding practices this is really not an issue.
I dont think they have bad coding practices since millions of sites use their product.
None the less I would like to figure out how to prevent these pages from showing up.

Hi @mikevtw

I do not see the errors on that page so updating likely resolved the issue in combination with cache clearing.