CVE-2024-2838 in Composite Products for WooCommerce Plugin
Summary
by MITRE • 04/27/2024
The WPC Composite Products for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wooco_components[0][name]' parameter in all versions up to, and including, 7.2.7 due to insufficient input sanitization and output escaping and missing authorization on the ajax_save_components function. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/03/2025
The vulnerability identified as CVE-2024-2838 affects the WPC Composite Products for WooCommerce plugin, a popular WordPress extension that enables users to create composite products by combining multiple individual products. This plugin operates within the WordPress ecosystem and provides functionality for managing complex product configurations through its administrative interfaces. The vulnerability exists in versions up to and including 7.2.7, representing a significant security risk for WordPress sites utilizing this plugin. The flaw manifests as a stored cross-site scripting vulnerability that can be exploited by authenticated attackers who possess subscriber-level privileges or higher, making it particularly concerning given the low privilege requirements for exploitation.
The technical flaw resides in the improper handling of user input within the ajax_save_components function, which processes component data for composite products. Specifically, the 'wooco_components[0][name]' parameter fails to undergo adequate sanitization before being stored in the database and subsequently rendered on web pages. This insufficient input validation creates a persistent XSS vector where malicious scripts can be stored and executed whenever affected pages are accessed. The vulnerability is compounded by missing authorization checks that should validate user permissions before allowing component data modification, allowing unauthorized users to manipulate plugin functionality. The lack of proper output escaping means that stored malicious scripts are directly rendered in user browsers without appropriate HTML encoding or script sanitization.
The operational impact of this vulnerability is substantial for WordPress sites running the affected plugin version. An authenticated attacker with subscriber privileges can inject malicious JavaScript code that persists in the database and executes whenever any user accesses pages containing the compromised component data. This creates a persistent threat vector that can be used for session hijacking, credential theft, or redirection to malicious sites. The vulnerability affects all users who access pages containing the compromised component data, potentially impacting site administrators, customers, and other privileged users who may inadvertently trigger the execution of malicious scripts. The stored nature of the vulnerability means that once exploited, the malicious code remains active until manually removed from the database, creating a long-term security risk that can be exploited repeatedly by any user accessing the compromised pages.
Mitigation strategies for this vulnerability should focus on immediate remediation through plugin updates to versions that address the XSS and authorization flaws. Organizations should implement comprehensive access controls and privilege management to limit the number of users with subscriber-level access or higher who can modify product components. Network monitoring and intrusion detection systems should be configured to detect suspicious AJAX requests targeting the vulnerable endpoint. Input validation should be strengthened at multiple layers including client-side and server-side sanitization, with proper HTML escaping implemented for all dynamic content. Security hardening measures should include regular security audits of WordPress plugins, implementation of content security policies, and monitoring of administrative interfaces for unauthorized modifications. The vulnerability aligns with CWE-79, which describes cross-site scripting flaws, and maps to ATT&CK technique T1548.002 for privilege escalation through modification of web applications, highlighting the need for both input validation and proper access controls to prevent unauthorized modifications to plugin functionality.