WooCommerce Product Vendors Plugin < 2.0.36 – Unauthenticated Reflected XSS

Affects Plugins

woocommerce-product-vendors

Fixed in 2.0.36

References

URL

https://hackerone.com/reports/253313

URL

https://woocommerce.com/products/product-vendors/

URL

https://threatpost.com/reflected-xss-bug-patched-in-popular-woocommerce-wordpress-plugin/127744/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

Miscellaneous

Submitter

ethicalhack3r

Submitter twitter

ethicalhack3r

Verified

No

WPVDB ID

6d91d359-55fc-4c71-955d-50b6261bf0d5

Timeline

Publicly Published

2017-08-22 (about 8 years ago)

Added

2017-08-31 (about 8 years ago)

Last Updated

2019-11-01 (about 6 years ago)

Other

Published

Title

Published

2024-09-04

Title

WP ULike < 4.7.4 - Admin+ Stored XSS

Published

2025-08-01

Title

Image Gallery <= 1.0.0 - Reflected Cross-Site Scripting

Published

2025-09-05

Title

WordPress Events Calendar Plugin – connectDaily <= 1.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-04-09

Title

MultiMailer <= 1.0.3 - Reflected Cross-Site Scripting

Published

2025-03-17

Title

WP Azure offload <= 2.0 - Reflected Cross-Site Scripting