Oliver Sild

Oliver from Patchstack here. This vulnerability is a completely valid one and has a CVE assigned to it. @audrasjb is correct that it is a low severity issue and is unlikely to be mass-exploited. However, it has a significant impact on compliance. Many modern security policies may not actually allow to use WordPress until this gets fixed, because to stay compliant, they should not run software with unpatched CVEs. That being said, I hope core team will put attention to this issue rather sooner than later.

It was a false-positive. This vulnerability was already fixed in 8.4.0 (about 5 weeks ago). Correct details can be found here: https://patchstack.com/database/vulnerability/woocommerce/wordpress-woocommerce-plugin-8-3-0-reflected-cross-site-scripting-vulnerability

It’s a false-positive. This vulnerability was already fixed in 8.4.0 (5 weeks ago). 8.4.0 is not vulnerable.