cleantalk
Vulnerabilities and Security Researches

Autoship Cloud for WooCommerce Subscription Products, CVE-2024-13461

CVE, Research URL

CVE-2024-13461

Home page URL

Security reports for Autoship Cloud for WooCommerce Subscription Products

Application

Autoship Cloud for WooCommerce Subscription Products

Published on
Feb 21, 2025
Research Description
The Autoship Cloud for WooCommerce Subscription Products plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'autoship-create-scheduled-order-action' shortcode in all versions up to, and including, 2.8.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 2.8.1.
Status
vulnerable
Previous vulnerability researches
Autoship Cloud for WooCommerce Subscription Products (CVE-2024-13461) , Feb 23, 2025
Autoship Cloud for WooCommerce Subscription Products (CVE-2026-24527) , May 27, 2026
Autoship Cloud for WooCommerce Subscription Products (CVE-2025-26878) , Feb 26, 2025
New vulnerability
Export WP Page to Static HTML/CSS (CVE-2026-24574) , May 27, 2026
Team Showcase (CVE-2025-62745) , May 27, 2026
wpForo Forum (CVE-2026-42682) , May 27, 2026
Auto Affiliate Links (CVE-2026-24592) , May 27, 2026
Autoship Cloud for WooCommerce Subscription Products (CVE-2026-24527) , May 27, 2026