CVE-2024-9377: 
WordPress vulnerability analysis and mitigation

The Products, Order & Customers Export for WooCommerce plugin for WordPress contains a Reflected Cross-Site Scripting vulnerability (CVE-2024-9377) affecting all versions up to and including 2.0.15. The vulnerability was discovered and disclosed on October 9, 2024, and stems from improper URL escaping when using addqueryarg & removequeryarg functions (NVD).

The vulnerability exists due to insufficient escaping of URL parameters when using WordPress's addqueryarg and removequeryarg functions. This implementation flaw allows for potential script injection in the plugin's URL handling functionality. The vulnerability has been assigned a CVSS v3.1 score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating that it can be exploited remotely without authentication but requires user interaction (Wordfence).

If successfully exploited, this vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform specific actions, such as clicking on a malicious link. The impact is limited to script execution within the context of the victim's browser session (NVD).

A patch has been released to address this vulnerability. Users should update their Products, Order & Customers Export for WooCommerce plugin to version 2.1.0 or later to mitigate this security risk (WordPress Plugin).