WordPress Plugin Vulnerabilities

Store Toolkit for WooCommerce < 2.3.2 - Reflected Cross-Site Scripting

Description

The plugin does not sanitise and escape the tab parameter before outputting it back in an admin page in an error message, leading to a Reflected Cross-Site Scripting

Proof of Concept

Affects Plugins

Plugin icon
woocommerce-store-toolkit
Fixed in 2.3.2

References

CVE
CVE-2021-25077
URL
https://plugins.trac.wordpress.org/changeset/2654503

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
https://kazet.cc/
Verified
Yes
WPVDB ID
53868650-aba0-4d07-89d2-a998bb0ee5f6

Timeline

Publicly Published
2022-01-10 (about 3 years ago)
Added
2022-01-10 (about 3 years ago)
Last Updated
2022-04-12 (about 3 years ago)

Other

Published
Title
Published
2014-08-01
Title
Artiss Code Embed 2.0.1 - wp-admin/admin.php suffix Parameter XSS
Published
2023-04-01
Title
Weaver Show Posts < 1.7 - Contributor+ Stored Cross-Site Scripting
Published
2025-09-22
Title
Zoho Billing <= 4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2022-06-08
Title
Gallery Bank <= 4.0.50 - Author+ Stored XSS via Media Upload Module
Published
2025-07-21
Title
WP-Members < 3.5.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting