CVE-2024-8872
📋 TL;DR
The Store Hours for WooCommerce WordPress plugin contains a reflected cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to inject malicious scripts via crafted URLs. When users click on malicious links, attackers can steal session cookies, redirect users, or perform actions on their behalf. All WordPress sites using this plugin up to version 4.3.20 are affected.
💻 Affected Systems
- Store Hours for WooCommerce WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full control of WordPress site, install backdoors, deface website, or steal sensitive customer data from WooCommerce stores.
Likely Case
Attackers steal user session cookies to hijack accounts, redirect users to phishing sites, or perform limited actions within the user's permissions.
If Mitigated
With proper Content Security Policy (CSP) headers and modern browser XSS protections, script execution may be blocked, limiting impact to failed exploitation attempts.
🎯 Exploit Status
Exploitation requires social engineering to trick users into clicking malicious links. No authentication required for initial injection.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.3.21 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3157721/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Store Hours for WooCommerce'. 4. Click 'Update Now' if available. 5. Alternatively, download version 4.3.21+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patched version is available
wp plugin deactivate order-hours-scheduler-for-woocommerce
Web Application Firewall (WAF) Rule
allBlock malicious query parameters containing script tags
Add WAF rule to block URLs containing '<script' or 'javascript:' in query parameters
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to block inline script execution
- Use browser security headers like X-XSS-Protection and X-Content-Type-Options
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins. If version is 4.3.20 or lower, you are vulnerable.Check Version:
wp plugin get order-hours-scheduler-for-woocommerce --field=versionVerify Fix Applied:
Verify plugin version is 4.3.21 or higher. Test by attempting to inject basic XSS payload in URL parameters (safely in test environment).📡 Detection & Monitoring
Log Indicators:
- Unusual long URLs with script tags in query parameters
- Multiple failed XSS attempts in web server logs
- Suspicious referrer URLs containing script injections
Network Indicators:
- HTTP requests with script tags in query strings
- Unusual spikes in traffic to plugin-specific endpoints
SIEM Query:
source="web_server_logs" AND (uri="*<script*" OR uri="*javascript:*" OR query="*<script*" OR query="*javascript:*")