WordPress Plugin Vulnerabilities

WOOCS < 1.3.7.3 - Reflected Cross-Site Scripting

Description

The plugin does not sanitise and escape the custom_prices parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting issue

Proof of Concept

Affects Plugins

Plugin icon
woocommerce-currency-switcher
Fixed in 1.3.7.3

References

CVE
CVE-2021-25043
URL
https://plugins.trac.wordpress.org/changeset/2640621/woocommerce-currency-switcher

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
https://kazet.cc/
Verified
Yes
WPVDB ID
8601bd21-becf-4809-8c11-d053d1121eae

Timeline

Publicly Published
2021-12-13 (about 4 years ago)
Added
2021-12-13 (about 4 years ago)
Last Updated
2022-04-11 (about 3 years ago)

Other

Published
Title
Published
2021-09-09
Title
Feedify Web Push Notifications < 2.1.9 - Reflected Cross-Site Scripting
Published
2024-12-17
Title
WP eCommerce Quickpay <= 1.1.0 - Reflected Cross-Site Scripting
Published
2025-10-03
Title
Trinity Audio < 5.21.0 - Reflected Cross-Site Scripting
Published
2024-09-09
Title
Slider by 10Web < 1.2.59 - Admin+ Stored XSS
Published
2021-12-21
Title
Simple Download Monitor < 3.9.11 - Contributor+ Stored Cross-Site Scripting via Shortcodes