What the vulnerability does
01Description
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Automattic WooCommerce allows Content Spoofing.This issue affects WooCommerce: from n/a through 8.9.2.
Explanation of Vulnerability in Simple Terms
02Summary
WooCommerce versions up to 8.9.2 contain an input validation flaw that allows high-privilege users to modify site data when they interact with a malicious link or page. The vulnerability requires administrator access and user interaction to exploit. It does not affect confidentiality but can result in unintended changes to site content or functionality.
What an attacker can do
03Attacker Capabilities
Modify WooCommerce data or settings if a site admin clicks a malicious link.
Potential impact on your site
04Site Impact
An admin account could be tricked into making unintended changes to store data or settings.
Conditions required to exploit
05Prerequisites
Attacker must have administrator-level access and trick a site admin into clicking a link.
Key dates
06Disclosure timeline
July 9, 2024
CVE published
April 28, 2026
Record updated