CVE-2024-47367 identifies a reflected cross-site scripting (XSS) vulnerability in the YITH WooCommerce Product Add-Ons plugin, a popular extension for WooCommerce that enables additional product customization options. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, allowing malicious scripts to be injected and executed in the context of a victim's browser. This reflected XSS occurs when an attacker crafts a specially designed URL or input that is reflected back by the plugin without adequate sanitization or encoding. When a user clicks on such a malicious link, the injected script executes, potentially allowing the attacker to steal session cookies, perform actions on behalf of the user, deface the website, or redirect users to malicious domains. The affected versions include all releases up to and including 4.13.0, with no patch currently available or linked. Although no known exploits are reported in the wild, the vulnerability is significant due to the widespread use of WooCommerce and its add-ons in e-commerce platforms. The lack of a CVSS score suggests this is a newly disclosed issue, with the Patchstack assigner indicating it was reserved in late September 2024 and published in early October 2024. The vulnerability requires no authentication but does require user interaction (clicking a malicious link).

The impact of this vulnerability is primarily on the confidentiality and integrity of user sessions and data. Successful exploitation can lead to theft of authentication cookies, enabling account takeover or unauthorized actions within the e-commerce platform. This can result in fraudulent transactions, data leakage, or reputational damage to the affected online stores. Additionally, attackers can use the vulnerability to deliver malware or phishing content to users, further amplifying the risk. The availability impact is generally low unless combined with other vulnerabilities. Given the plugin's integration with WooCommerce, which powers a significant portion of global e-commerce sites, the scope of affected systems is substantial. Organizations running online stores with this plugin are at risk, especially if they have high traffic volumes or handle sensitive customer data. The ease of exploitation is moderate since it requires crafting and delivering malicious URLs but no authentication is needed, increasing the threat surface.

1. Monitor for official patches or updates from YITHEMES and apply them immediately once available to remediate the vulnerability. 2. Until a patch is released, implement strict input validation and output encoding on all user-supplied data reflected in web pages, particularly in the affected plugin components. 3. Employ Web Application Firewalls (WAFs) with rules designed to detect and block reflected XSS attack patterns targeting WooCommerce and its add-ons. 4. Educate users and administrators about the risks of clicking untrusted links and encourage the use of security awareness training. 5. Review and harden Content Security Policy (CSP) headers to restrict script execution sources, mitigating the impact of potential XSS attacks. 6. Conduct regular security assessments and penetration testing focused on e-commerce plugins and extensions to identify similar vulnerabilities proactively. 7. Limit plugin usage to only necessary features and remove or disable unused add-ons to reduce the attack surface.