CVE-2024-11361: 
WordPress vulnerability analysis and mitigation

The PDF Invoices & Packing Slips Generator for WooCommerce plugin for WordPress contains a Reflected Cross-Site Scripting vulnerability (CVE-2024-11361) discovered on November 22, 2024. The vulnerability affects all versions up to and including 2.2.1. This security issue was identified by researcher vgo0 (Wordfence Intel).

The vulnerability stems from improper use of the add_query_arg function without appropriate URL escaping in the plugin's code. This has been classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability has received a CVSS v3.1 score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform specific actions, such as clicking on malicious links. This can lead to potential data exposure and compromise of user interactions with the affected plugin (NVD).

Users of the PDF Invoices & Packing Slips Generator for WooCommerce plugin should update to a version newer than 2.2.1 if available. Until an update is applied, it is recommended to exercise caution when clicking on links related to the plugin's functionality (NVD).