CVE-2024-35680 in WooCommerce Product Add-Ons Plugin
Summary
by MITRE • 06/10/2024
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in YITHEMES YITH WooCommerce Product Add-Ons yith-woocommerce-product-add-ons.This issue affects YITH WooCommerce Product Add-Ons: from n/a through <= 4.9.2.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/02/2026
The vulnerability CVE-2024-35680 represents a classic cross-site scripting flaw categorized under CWE-79 Improper Neutralization of Input During Web Page Generation. This weakness specifically manifests in the YITH WooCommerce Product Add-Ons plugin for WordPress, where user-supplied input containing HTML tags is not properly sanitized before being rendered in web pages. The vulnerability exists within the plugin's handling of product add-on data, where malicious actors can inject script code that executes in the context of other users' browsers when they view affected product pages.
The technical implementation of this vulnerability stems from insufficient input validation and output encoding mechanisms within the plugin's codebase. When administrators or users create product add-ons with HTML content, the system fails to adequately neutralize potentially malicious script-related HTML tags such as script, iframe, or object elements. This improper handling allows attackers to craft malicious payloads that bypass the platform's security controls and execute unauthorized code in the victim's browser environment. The vulnerability is classified as basic XSS because it affects the rendering of content on web pages without requiring complex exploitation techniques.
The operational impact of this vulnerability extends beyond simple script execution, as it enables attackers to perform various malicious activities including session hijacking, credential theft, and redirection to malicious websites. An attacker who successfully exploits this vulnerability could steal administrator credentials, modify product information, inject malicious advertisements, or redirect users to phishing sites. The affected version range from n/a through 4.9.2 indicates that this vulnerability has existed for multiple versions of the plugin, making it a persistent threat to WordPress installations using YITH WooCommerce Product Add-Ons. The vulnerability affects not just individual user sessions but can compromise entire e-commerce platforms, potentially leading to financial losses and data breaches.
Mitigation strategies for this vulnerability should focus on immediate plugin updates to versions that address the XSS flaw, along with implementing comprehensive input sanitization and output encoding measures. Organizations should deploy web application firewalls that can detect and block malicious script injection attempts, while also establishing strict content validation policies for user-generated content. The remediation process involves not only updating the vulnerable plugin but also conducting thorough security audits of all installed WordPress plugins to identify similar vulnerabilities. Additionally, implementing proper security monitoring and logging mechanisms can help detect exploitation attempts, while regular security training for administrators can prevent social engineering attacks that might leverage this vulnerability. The ATT&CK framework categorizes this vulnerability under T1059 Command and Scripting Interpreter and T1566 Phishing, highlighting the need for both technical and user-focused defensive measures.