WordPress Plugin Vulnerabilities

Quick/Bulk Order Form for WooCommerce < 3.6.0 - Shop Manager+ Stored XSS

Description

The plugin does not sanitise and escape some parameters, which could allow users with a role as low as Shop Manager to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
woocommerce-bulk-order-form
Fixed in 3.6.0

References

CVE
CVE-2023-34170

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Emili Castells
Verified
No
WPVDB ID
2c5ac231-f723-4f1f-a780-86226c371323

Timeline

Publicly Published
2023-05-31 (about 2 years ago)
Added
2023-06-22 (about 2 years ago)
Last Updated
2023-06-22 (about 2 years ago)

Other

Published
Title
Published
2025-08-29
Title
Cookie Notice & Consent < 1.6.5 - Unauthenticated Stored Cross-Site Scripting
Published
2025-04-25
Title
Enhanced Paypal Shortcodes <= 0.5a - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2017-03-01
Title
Google Analytics Dashboard - Authenticated Cross-Site Scripting (XSS)
Published
2021-02-08
Title
Data Tables Generator by Supsystic < 1.10.1 - Authenticated Stored Cross-Site Scripting (XSS)
Published
2023-01-26
Title
Hueman Addons <= 2.3.3 - Contributor+ Stored XSS via Shortcode