WordPress Plugin Vulnerabilities

Direct checkout, Add to cart redirect for Woocommerce < 2.1.49 - Admin+ Stored XSS

Description

The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Affects Plugins

Plugin icon
add-to-cart-direct-checkout-for-woocommerce
Fixed in 2.1.49

References

CVE
CVE-2023-28988

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
MyungJu Kim
Verified
No
WPVDB ID
15529920-77b3-41ed-8807-8744d48a150d

Timeline

Publicly Published
2023-06-26 (about 2 years ago)
Added
2023-06-27 (about 2 years ago)
Last Updated
2023-06-27 (about 2 years ago)

Other

Published
Title
Published
2022-05-17
Title
Opal Hotel Room Booking <= 1.2.7 - Contributor+ Stored Cross-Site Scripting
Published
2025-09-13
Title
Grid Plus <= 3.3 - Reflected Cross-Site Scripting
Published
2025-01-16
Title
WP Contest <= 1.0.0 - Reflected Cross-Site Scripting
Published
2025-04-02
Title
Gravel <= 1.6 - Reflected Cross-Site Scripting
Published
2024-06-06
Title
Pixgraphy < 1.3.9 - Authenticated (Contributor+) Stored Cross-Site Scripting