[FG-VD-19-022] Wordpress WooCommerce Cross-Site Scripting Vulnerability Notification

**Subject**: [FG-VD-19-022] Wordpress WooCommerce Cross-Site Scripting Vulnerability Notification Dear Automattic, Fortinet's FortiGuard Labs have discovered a security issue in your product WooCommerce on 02/13/2019. We estimate its risk level is 2, on a scale of 1 (lowest) to 5 (highest), in terms of its impact. Please advise of the appropriate contact person in your company to handle this issue. Fortinet's research remains ethical at all times, and we therefore strive to Responsible Disclosure. Fortinet vulnerability disclosure policy can be found at https://fortiguard.com/zeroday/responsible-disclosure. For this particular issue, we will wait until 03/13/2019 for vendor response before we post an advisory on our website (https://fortiguard.com/zeroday) and/or any other publication form (e.g. conference talk, demo, podcast, etc.). In the case you agree to patch this issue, we'll extend the disclosure deadline to 90 days (it's 05/14/2019 for this issue) automatically. We might disclose it *earlier* than that date only if: 1) Public proof of concept code for the vulnerability is released or it's disclosed by other people, increasing the danger of the vulnerability being exploited in the wild; 2) Active attack against the vulnerability is detected; 3) Or you have patched the vulnerability or released solution/workaround - a positive fact we'll be happy to mention. Fortinet will use reasonable efforts to communicate a schedule of planned mediums, including conferences with the appropriate stakeholders within the affected company. Our security researchers work on your product or service either because it is popular and/or interesting, so please take this positively. This research is done free of charge for you, although our researchers will appreciate being mentioned in a Hall of Fame or bug bounty if any. Threats to our security researchers are not acceptable and will be dealt with by our Legal team. We look forward to working closely with you to resolve this issue. If you wish to switch to confidential emails, our PGP key can be found at https://fortiguard.com/secresearch-pgpkey. Kind regards, Fortinet's FortiGuard Labs. ## Impact Cross-Site Scripting