WooCommerce Brands < 1.6.46 – Contributor+ Stored XSS | CVE 2023-32746 | Plugin Vulnerabilities

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

Proof of Concept

Add a Brand with an image, and assign it to a Product on the Product Edit page.

[product_brand post_id="PRODUCT_ID" height='" onload=alert(/XSS/)//"']

Affects Plugins

woocommerce-brands

Fixed in 1.6.46

References

CVE

URL

https://patchstack.com/database/vulnerability/woocommerce-brands/wordpress-woocommerce-brands-plugin-1-6-45-contributor-stored-cross-site-scripting-xss-vulnerability

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Rafie Muhammad

Verified

Yes

WPVDB ID

28f6d610-b877-496c-93b5-924f2a724d53

Timeline

Publicly Published

2023-05-15 (about 2 years ago)

Added

2023-06-22 (about 2 years ago)

Last Updated

2023-06-22 (about 2 years ago)

Other

Published

Title

Published

2025-06-14

Title

flexoslider <= 1.0004 - Reflected Cross-Site Scripting

Published

2024-03-28

Title

Stackable < 3.12.12 - Contributor+ Stored XSS via Posts Block

Published

2022-09-26

Title

Social Media Follow Buttons Bar <= 4.73 - Admin+ Stored XSS

Published

2025-09-26

Title

WP Statistics < 14.15.5 - Unauthenticated Stored XSS via User-Agent Header

Published

2021-08-13

Title

2Way VideoCalls and Random Chat < 5.2.8 - Reflected Cross-Site Scripting