CVE-2024-11369 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2024-11369?

CVE-2024-11369 has a CVSS score of 6.1 (MEDIUM). This vulnerability allows unauthenticated attackers to perform reflected cross-site scripting (XSS) attacks via the 'coupon', 'start_date', and 'end_date' parameters in the Store credit / Gift cards for WooCommerce WordPress plugin. Attackers can inject malicious scripts that execute when users click specially crafted links, potentially stealing session cookies or performing actions on behalf of the user. All WordPress sites using this plugin up to version 1.0.49.46 are affected.

📋 TL;DR

This vulnerability allows unauthenticated attackers to perform reflected cross-site scripting (XSS) attacks via the 'coupon', 'start_date', and 'end_date' parameters in the Store credit / Gift cards for WooCommerce WordPress plugin. Attackers can inject malicious scripts that execute when users click specially crafted links, potentially stealing session cookies or performing actions on behalf of the user. All WordPress sites using this plugin up to version 1.0.49.46 are affected.

💻 Affected Systems

Products:

Store credit / Gift cards for WooCommerce WordPress plugin

Versions: All versions up to and including 1.0.49.46

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the admin/report.php file and affects the plugin's reporting functionality. All WordPress installations with this plugin enabled are vulnerable.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator session cookies, gain full administrative access to the WordPress site, install backdoors, deface the site, or steal customer data including payment information.

🟠

Likely Case

Attackers steal user session cookies to hijack accounts, redirect users to malicious sites, or perform limited actions on behalf of authenticated users.

🟢

If Mitigated

Script execution is blocked by Content Security Policy (CSP) headers or browser XSS filters, limiting impact to parameter reflection without code execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires user interaction (clicking a malicious link) but is trivial to exploit once a user is tricked. No authentication is required to trigger the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.49.47 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3213698/store-credit-for-woocommerce/trunk/admin/report.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Store credit / Gift cards for WooCommerce'. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.0.49.47+ from WordPress.org and manually update.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the Store credit / Gift cards for WooCommerce plugin until patched

wp plugin deactivate store-credit-for-woocommerce

Implement WAF rules

all

Add web application firewall rules to block requests containing script tags in coupon, start_date, and end_date parameters

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources
Use browser security features like X-XSS-Protection and X-Content-Type-Options headers

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for 'Store credit / Gift cards for WooCommerce' version. If version is 1.0.49.46 or lower, you are vulnerable.

Check Version:

wp plugin get store-credit-for-woocommerce --field=version

Verify Fix Applied:

After updating, verify the plugin version shows 1.0.49.47 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

HTTP requests containing script tags or JavaScript code in coupon, start_date, or end_date parameters
Multiple failed XSS attempts in web server logs

Network Indicators:

Unusual parameter values containing <script> tags or JavaScript in GET requests
Requests to admin/report.php with suspicious parameter values

SIEM Query:

source="web_server_logs" AND (uri_path="*admin/report.php*" AND (param="*<script>*" OR param="*javascript:*"))

📊 Metadata

CVE ID: CVE-2024-11369

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.99% exploit probability (76.4th percentile)

Published: January 7, 2025

Last Updated: January 7, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-11369, you might also want to check these: