WordPress Plugin Vulnerabilities

Kangu para WooCommerce < 2.2.10 - Reflected XSS

Description

The plugin does not sanitise and escape the etiqueta parameters before outputting it back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Affects Plugins

Plugin icon
kangu
Fixed in 2.2.10

References

CVE
CVE-2023-32296

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Jonas Höbenreich
Verified
No
WPVDB ID
4f97e915-1e6d-44de-a7d3-cb0c07a27b8d

Timeline

Publicly Published
2023-08-11 (about 2 years ago)
Added
2023-09-07 (about 2 years ago)
Last Updated
2023-09-07 (about 2 years ago)

Other

Published
Title
Published
2022-07-11
Title
Event Timeline <= 1.1.6 - Admin+ Stored Cross-Site Scripting
Published
2025-06-05
Title
Simple Google Static Map <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-09-05
Title
Easy Download Media Counter <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-06-13
Title
StreamWeasels Kick Integration < 1.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via status-classic-offline-text Parameter
Published
2025-04-07
Title
Popping Content Light <= 2.4 - Reflected Cross-Site Scripting