CVE-2024-8872 is a reflected Cross-Site Scripting (XSS) vulnerability classified under CWE-80, found in the Store Hours for WooCommerce plugin for WordPress. The vulnerability stems from the plugin's use of the WordPress function add_query_arg without proper escaping or sanitization of URL parameters. This improper neutralization allows an attacker to craft malicious URLs containing arbitrary JavaScript code. When a victim clicks such a link, the injected script executes in the context of the victim's browser session on the affected WordPress site. The vulnerability affects all versions of the plugin up to and including 4.3.20. Since the flaw is reflected, it requires user interaction—specifically, the victim must be tricked into clicking a maliciously crafted URL. The CVSS 3.1 base score is 6.1, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, but user interaction needed. The scope is changed (S:C) because the vulnerability can affect resources beyond the vulnerable component, such as user session data or cookies. The impact includes partial confidentiality and integrity loss, as attackers could steal session cookies, perform actions on behalf of users, or conduct phishing attacks. No availability impact is noted. No known exploits have been reported in the wild as of the publication date. The vulnerability is particularly relevant for websites using WooCommerce with this plugin, which is popular among e-commerce sites built on WordPress. The flaw highlights the importance of proper input validation and output encoding in web applications, especially those handling user-supplied data in URLs.

The vulnerability allows unauthenticated attackers to execute arbitrary JavaScript in the context of the victim's browser session on affected WordPress sites. This can lead to theft of sensitive information such as session cookies, enabling account takeover or unauthorized actions within the WooCommerce store. Attackers could also use this to conduct phishing attacks by injecting malicious content that appears legitimate. Although the vulnerability does not affect system availability, the compromise of user data and integrity of transactions can severely damage an organization's reputation and customer trust. E-commerce sites relying on the Store Hours for WooCommerce plugin are at risk of customer data exposure and fraudulent transactions. The medium CVSS score reflects a moderate but significant risk, especially given the widespread use of WordPress and WooCommerce globally. Organizations failing to address this vulnerability may face regulatory compliance issues related to data protection laws if customer data is compromised.

1. Update the Store Hours for WooCommerce plugin to the latest version once a patch is released by the vendor. Monitor official channels for patch announcements. 2. In the absence of an immediate patch, implement Web Application Firewall (WAF) rules to detect and block suspicious query parameters containing script tags or JavaScript code patterns targeting the vulnerable endpoints. 3. Employ strict input validation and output encoding on all user-supplied data, especially URL parameters, to neutralize potentially malicious scripts. 4. Use security plugins for WordPress that provide additional XSS protection and content sanitization. 5. Educate users and administrators about the risks of clicking on unsolicited or suspicious links, particularly those that appear to come from the affected site. 6. Conduct regular security audits and penetration testing focusing on input handling and URL parameter sanitization. 7. Monitor web server and application logs for unusual URL patterns or repeated attempts to exploit reflected XSS. 8. Limit the exposure of sensitive cookies by setting HttpOnly and Secure flags to reduce the risk of cookie theft via XSS.