WPify Woo Czech < 3.5.7 – Reflected Cross-Site Scripting (XSS)

Description

The plugin uses the Vies library v2.2.0, which has a sample file outputting $_SERVER['PHP_SELF'] in an attribute without being escaped first, leading to a Reflected Cross-Site Scripting. The issue is only exploitable when the web server has the PDO driver installed, and write access to the example directory (otherwise an exception will be raised before the payload is output).

Proof of Concept

https://example.com/wp-content/plugins/wpify-woo/deps/dragonbe/vies/examples/async_processing/queue.php/"><script>alert(/XSS/)</script>

Affects Plugins

wpify-woo

Fixed in 3.5.7

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

4.7 (medium)

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

5c66c32b-22f2-4b59-a6b2-b8da944cdc3c

Timeline

Publicly Published

2022-05-16 (about 3 years ago)

Added

2022-05-16 (about 3 years ago)

Last Updated

2022-05-16 (about 3 years ago)

Other

Published

Title

Published

2022-12-27

Title

Published

2020-10-07

Title

WPBakery Page Builder < 6.4.1 - Authenticated Stored Cross-Site Scripting (XSS)

Published

2025-05-01

Title

tagDiv Composer < 5.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Shortcodes

Published

2023-11-07

Title

Q2W3 Post Order <= 1.2.8 - Reflected Cross-Site Scripting

Published

2024-03-19

Title

Website Article Monetization By MageNet < 1.0.12 - Unauthenticated Stored XSS