WooCommerce Green Wallet Gateway < 1.0.2 – Reflected Cross Site Scripting in checkout page | CVE 2022-1673 | Plugin Vulnerabilities

Description

The plugin does not escape the error_envision query parameter before outputting it to the page, leading to a Reflected Cross-Site Scripting vulnerability.

Proof of Concept

1. Enable greenwallet-gateway as a woocommerce payment gateway
2. add something in your cart and visit the checkout page
3. visit website/checkoutpage/?error_envision=<script>alert(1)</script>

Affects Plugins

greenwallet-gateway

Fixed in 1.0.2

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

goodguyandy

Submitter

Andrea

Verified

Yes

WPVDB ID

14283389-a6b8-4dd8-9441-f16fcc4ab3c0

Timeline

Publicly Published

2022-05-11 (about 3 years ago)

Added

2022-05-11 (about 3 years ago)

Last Updated

2022-05-12 (about 3 years ago)

Other

Published

Title

Published

2025-01-16

Title

Social2Blog <= 0.2.990 - Reflected Cross-Site Scripting

Published

2023-07-12

Title

Coming Soon Chop Chop <= 2.2.4 - Reflected XSS

Published

2025-08-18

Title

Essential Doo Components for Visual Composer <= 1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-04-04

Title

AGCA – Custom Dashboard & Login Page < 7.2.2 - Admin+ Stored XSS via Image URL

Published

2024-04-22

Title

Exclusive Addons for Elementor < 2.6.9.4 - Contributor+ Stored Cross-Site Scripting