WordPress Plugin Vulnerabilities

Product Addons & Fields for WooCommerce < 32.0.7 - Reflected Cross-Site Scripting

Description

The plugin does not sanitize and escape some URL parameters, leading to Reflected Cross-Site Scripting.

Proof of Concept

Affects Plugins

Plugin icon
woocommerce-product-addon
Fixed in 32.0.7

References

CVE
CVE-2023-2256

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Alex Sanford
Submitter
Alex Sanford
Submitter website
https://wpscan.com
Verified
Yes
WPVDB ID
1187e041-3be2-4613-8d56-c2394fcc75fb

Timeline

Publicly Published
2023-05-01 (about 2 years ago)
Added
2023-05-03 (about 2 years ago)
Last Updated
2023-05-04 (about 2 years ago)

Other

Published
Title
Published
2024-01-01
Title
Meris <= 1.1.2 - Reflected XSS
Published
2023-12-27
Title
Schema & Structured Data for WP & AMP < 1.24 - Contributor+ Stored XSS
Published
2024-03-29
Title
Contact Form 7 Newsletter <= 2.2 - Reflected Cross-Site Scripting
Published
2024-11-14
Title
IP Based Login < 2.4.1 - Admin+ Stored XSS
Published
2025-02-21
Title
Flashfader <= 1.1.1 - Reflected Cross-Site Scripting