CVE-2024-13461 in Autoship Cloud for WooCommerce Subscription Products Plugininfo

Summary

by MITRE • 02/21/2025

The Autoship Cloud for WooCommerce Subscription Products plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'autoship-create-scheduled-order-action' shortcode in all versions up to, and including, 2.8.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 02/25/2025

The vulnerability identified as CVE-2024-13461 affects the Autoship Cloud for WooCommerce Subscription Products plugin, a widely used WordPress extension for managing subscription-based e-commerce operations. This security flaw exists within the plugin's 'autoship-create-scheduled-order-action' shortcode functionality, which allows merchants to create scheduled orders for their customers. The vulnerability represents a critical security risk as it enables authenticated attackers with contributor-level privileges or higher to execute malicious code within the WordPress environment, potentially compromising the entire site and its user data.

The technical root cause of this vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's shortcode implementation. When users provide attributes to the 'autoship-create-scheduled-order-action' shortcode, the plugin fails to properly validate or sanitize these inputs before processing them. This insufficient sanitization creates an opening for attackers to inject malicious JavaScript code through carefully crafted attribute values. The vulnerability is classified as a stored cross-site scripting flaw because the malicious scripts are stored within the plugin's processing logic and executed whenever legitimate users access pages containing the compromised shortcode. The issue affects all versions of the plugin up to and including version 2.8.0, indicating a long-standing security gap that has persisted across multiple releases.

The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with a vector for more sophisticated attacks within the compromised WordPress environment. An attacker with contributor-level access can inject persistent malicious code that will execute whenever any user accesses pages containing the vulnerable shortcode, potentially affecting not just the attacker but all site visitors. This creates a significant risk for e-commerce operations where customer data and financial transactions are processed through the affected platform. The vulnerability enables potential data theft, session hijacking, and further exploitation of the WordPress installation, as the injected scripts can access the victim's browser session and potentially interact with other site features. The attack surface is particularly concerning given that contributors typically have access to publish posts and manage content, making it easier for attackers to establish persistent malicious presence within the site.

Mitigation strategies for this vulnerability should prioritize immediate remediation through plugin updates to versions that address the sanitization and escaping issues. Administrators should also implement additional security measures including restricting contributor privileges to only essential functions, implementing content security policies to limit script execution, and monitoring for unauthorized shortcode usage. The vulnerability aligns with CWE-79, which describes Cross-Site Scripting flaws, and represents a classic example of how insufficient input validation can create persistent security risks within web applications. From an ATT&CK framework perspective, this vulnerability maps to techniques involving code injection and privilege escalation, as attackers can leverage the contributor role to gain more significant control over the WordPress environment. Regular security audits and input validation testing should be implemented to prevent similar vulnerabilities from emerging in other plugin components and to maintain overall site security posture against evolving threat landscapes.

Responsible

Wordfence

Reservation

01/16/2025

Disclosure

02/21/2025

Moderation

accepted

CPE

ready

EPSS

0.00227

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!