CVE-2024-35777 LOW

CVE-2024-35777: WordPress WooCommerce plugin <= 8.9.2 - Content Injection vulnerability

Vendor Automattic
Product WooCommerce
Weakness CWE-74
Published July 9, 2024
Last update April 28, 2026

CVSS base score

3.5/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Automattic WooCommerce allows Content Spoofing.This issue affects WooCommerce: from n/a through 8.9.2.

Explanation of Vulnerability in Simple Terms

02Summary

WooCommerce versions up to 8.9.2 contain an input validation flaw that allows high-privilege users to modify site data when they interact with a malicious link or page. The vulnerability requires administrator access and user interaction to exploit. It does not affect confidentiality but can result in unintended changes to site content or functionality.

What an attacker can do

03Attacker Capabilities

Modify WooCommerce data or settings if a site admin clicks a malicious link.

Potential impact on your site

04Site Impact

An admin account could be tricked into making unintended changes to store data or settings.

Conditions required to exploit

05Prerequisites

Attacker must have administrator-level access and trick a site admin into clicking a link.

Key dates

06Disclosure timeline

July 9, 2024 CVE published
April 28, 2026 Record updated