Print Invoice & Delivery Notes for WooCommerce < 4.7.2 – Reflected XSS | CVE 2023-0479 | Plugin Vulnerabilities

Description

The plugin is vulnerable to reflected XSS by echoing a GET value in an admin note within the WooCommerce orders page. This means that this vulnerability can be exploited for users with the edit_others_shop_orders capability. WooCommerce must be installed and active. This vulnerability is caused by a urldecode() after cleanup with esc_url_raw(), allowing double encoding.

Proof of Concept

http://localhost:8000/wp-admin/edit.php?post_type=shop_order&printed_order=1&total=1&print_url=%2522%253E%253Cscript%253Ealert%28document.domain%29%253C%252Fscript%253E%253Cp%252Bid%253D

Affects Plugins

woocommerce-delivery-notes

Fixed in 4.7.2

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

dc11

Submitter

dc11

Verified

Yes

WPVDB ID

50963747-ae8e-42b4-bb42-cc848be7b92e

Timeline

Publicly Published

2023-02-02 (about 2 years ago)

Added

2023-02-02 (about 2 years ago)

Last Updated

2023-02-02 (about 2 years ago)

Other

Published

Title

Published

2025-03-27

Title

Simplebooklet PDF Viewer and Embedder < 1.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-08-27

Title

Pronamic Google Maps < 2.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-01-20

Title

Heateor Social Comments < 1.6.2 - Contributor+ Stored XSS

Published

2023-03-21

Title

Userlike – WordPress Live Chat < 2.3 - Admin+ Stored Cross-Site Scripting

Published

2024-11-01

Title

WP Pocket URLs < 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting