WordPress Plugin Vulnerabilities

Advanced Order Export For WooCommerce < 3.1.8 - Authenticated Reflected Cross-Site Scripting (XSS)

Description

This plugin helps you to easily export WooCommerce order data. The tab parameter in the Admin Panel was vulnerable to authenticated reflected XSS.

Proof of Concept

Affects Plugins

Plugin icon
woo-order-export-lite
Fixed in 3.1.8

References

CVE
CVE-2021-24169
URL
https://0xb9.blog/cross-site-scripting-fixed-in-advanced-order-export-for-woocommerce/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.3 (high)

Miscellaneous

Original Researcher
0xB9
Submitter twitter
0xB9sec
Verified
Yes
WPVDB ID
09681a6c-57b8-4448-982a-fe8d28c87fc3

Timeline

Publicly Published
2021-03-03 (about 4 years ago)
Added
2021-03-03 (about 4 years ago)
Last Updated
2021-05-13 (about 4 years ago)

Other

Published
Title
Published
2024-04-24
Title
Base64 Encoder/Decoder <= 0.9.2 - Stored XSS via CSRF
Published
2024-12-21
Title
SysBasics Customize My Account for WooCommerce < 2.9.0 - Reflected Cross-Site Scripting
Published
2025-09-03
Title
Tooltipy < 5.5.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2012-05-15
Title
WP Statistics <= 2.2.4 - Cross-Site Scripting (XSS)
Published
2024-12-16
Title
EventPrime – Events Calendar, Bookings and Tickets < 4.0.7.4 - Unauthenticated Stored Cross-Site Scripting via Ticket Category and Ticket Type Name