WordPress Plugin Vulnerabilities

WooCommerce < 6.6.0 - Admin+ Stored HTML Injection

Description

The plugin is vulnerable to stored HTML injection due to lack of escaping and sanitizing in the payment gateway titles

Proof of Concept

Go to WooCommerce -> Settings -> Payments tab, enable BAC (Bank Account Transfers) and edit the title in the setup dialog. HTML can be injected there, and will be rendered both for admins (in the admin panel) and visitors in the checkout screen.

<html>
<form action="http://example.com/wp-admin/admin.php?page=wc-settings&tab=checkout&section=bacs" method="POST">
<input class="input-text regular-input " type="text" name="woocommerce_bacs_title" id="woocommerce_bacs_title" style="" value="HTML INJECTION" placeholder="">

<p class="submit">
	<button name="save" class="button-primary woocommerce-save-button" type="submit" value="Save changes">Save changes</button>
	<input type="hidden" id="_wpnonce" name="_wpnonce" value="bfdcc984ec"><input type="hidden" name="_wp_http_referer" value="/wp-admin/admin.php?page=wc-settings&tab=checkout&section=bacs">		</p>
    </form>
</html>

Affects Plugins

Plugin icon
woocommerce
Fixed in 6.6.0

References

CVE
CVE-2022-2099

Classification

Type
INJECTION
OWASP top 10
A1: Injection
CVSS
3.0 (low)

Miscellaneous

Original Researcher
Taurus Omar
Submitter
Taurus Omar
Submitter website
https://taurusomar.com
Submitter twitter
taurusomar_
Verified
Yes
WPVDB ID
0316e5f3-3302-40e3-8ff4-be3423a3be7b

Timeline

Publicly Published
2022-06-20 (about 1 years ago)
Added
2022-06-20 (about 1 years ago)
Last Updated
2023-03-26 (about 8 months ago)

Other

Published
Title
Published
2023-06-23
Title
Supsystic Popup < 1.10.19 - Prototype Pollution
Published
2018-05-01
Title
Form Maker by WD < 1.12.24 - CSV Injection
Published
2023-10-09
Title
EventPrime < 3.2.0 - Reflected HTML Injection on keyword parameter
Published
2020-07-09
Title
Wise Chat < 2.8.4 - CSV Injection
Published
2017-04-19
Title
AccessPress Social Icons < 1.6.8 - Authenticated SQL Injections