Discount Rules for WooCommerce plugin has two high-severity cross-site scripting flaws that could allow an attacker to hijack a targeted site. The flaws are tied to the plugin developer s implementation of Asynchronous JavaScript and XML (AJAX) code. Two fixes for the flaws, first available on Aug. 22 and second on Sept. 2, failed to patch the problem. A third round of patches for the bugs became available to customers Sept. 9. It is unclear if WooCommerce site operators will have to download patches.
Source: https://threatpost.com/woocommerce-plugin-bug-allows-site-takeover/159364/