CVE-2024-34385 in WooCommerce Wishlist Plugin
Summary
by MITRE • 06/03/2024
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in YITHEMES YITH WooCommerce Wishlist yith-woocommerce-wishlist.This issue affects YITH WooCommerce Wishlist: from n/a through <= 3.32.0.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/02/2026
This cross-site scripting vulnerability exists within the YITH WooCommerce Wishlist plugin for WordPress, specifically impacting versions up to and including 3.32.0. The flaw stems from inadequate input sanitization during web page generation processes, allowing malicious actors to inject arbitrary JavaScript code into product pages and wishlist functionalities. The vulnerability represents a classic XSS attack vector where user-supplied data is not properly escaped or validated before being rendered in web pages, creating opportunities for attackers to execute malicious scripts in the context of victims' browsers.
The technical implementation of this vulnerability occurs when the plugin processes user input through various interface elements such as product names, descriptions, or custom fields within the wishlist functionality. When these inputs are displayed without proper HTML escaping or context-appropriate sanitization, an attacker can craft malicious payloads that persist in the database and execute whenever other users view the affected pages. This type of vulnerability falls under CWE-79 which specifically addresses improper neutralization of input during web page generation, making it a well-documented and dangerous class of web application security flaws.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to hijack user sessions, steal sensitive information, manipulate wishlist contents, or redirect users to malicious sites. Given that this affects a widely-used WooCommerce plugin, the potential attack surface is significant, particularly in e-commerce environments where user trust and data integrity are paramount. Attackers could exploit this vulnerability to access customer accounts, modify wishlist items, or even inject malware delivery mechanisms that target the browsing environment of authenticated users.
Mitigation strategies should begin with immediate plugin updates to versions that address this XSS vulnerability, as the vendor has likely released patches to sanitize input parameters properly. Security measures should include implementing proper output encoding for all user-supplied content, employing Content Security Policy headers to limit script execution, and conducting regular input validation checks. Organizations should also consider implementing web application firewalls that can detect and block common XSS attack patterns, while monitoring for suspicious activity in wishlist and product page interactions. Additionally, this vulnerability aligns with ATT&CK technique T1566 which covers social engineering attacks through web application vulnerabilities, making it a critical target for both defensive and detection-focused security measures.