Permalink Manager For Woocommerce
Monthly
Stored cross-site scripting via cross-site request forgery affects the Permalink Manager for WooCommerce WordPress plugin in all versions up to and including 1.0.8.2. Because the plugin fails to validate request authenticity (CWE-352), an unauthenticated attacker who lures a logged-in administrator into loading a malicious page can forge a state-changing request that persists attacker-controlled script into the site, which later executes in the admin context. No public exploit identified at time of analysis and the flaw is not listed in CISA KEV; the CVSS 3.1 base score is 7.1 with a scope change reflecting the CSRF-to-stored-XSS impact.
Stored cross-site scripting via cross-site request forgery affects the Permalink Manager for WooCommerce WordPress plugin in all versions up to and including 1.0.8.2. Because the plugin fails to validate request authenticity (CWE-352), an unauthenticated attacker who lures a logged-in administrator into loading a malicious page can forge a state-changing request that persists attacker-controlled script into the site, which later executes in the admin context. No public exploit identified at time of analysis and the flaw is not listed in CISA KEV; the CVSS 3.1 base score is 7.1 with a scope change reflecting the CSRF-to-stored-XSS impact.