CVE-2024-25596: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in Doofinder for WooCommerce plugin versions through 2.1.8. The vulnerability was discovered by Dhabaleshwar Das and was assigned CVE-2024-25596. The issue affects the WordPress plugin Doofinder for WooCommerce and allows for Stored XSS attacks (Patchstack).

The vulnerability has been assessed with multiple CVSS scores. According to NVD, it has a CVSS v3.1 Base Score of 4.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. Patchstack has rated it with a slightly higher CVSS score of 5.9 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

The vulnerability could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into the website which will be executed when guests visit the site. The impact is considered to have a low severity and is unlikely to be exploited (Patchstack).

The vulnerability has been fixed in version 2.1.9 of the Doofinder for WooCommerce plugin. Users are advised to update to version 2.1.9 or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins (Patchstack).