WordPress Plugin Vulnerabilities

WooCommerce PDF Invoices & Packing Slips < 2.10.5 - Reflected Cross-Site Scripting

Description

The plugin does not escape the tab and section parameters before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting in the admin dashboard

Proof of Concept

Affects Plugins

Plugin icon
woocommerce-pdf-invoices-packing-slips
Fixed in 2.10.5

References

CVE
CVE-2021-24991

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
https://kazet.cc/
Verified
Yes
WPVDB ID
88e706df-ae03-4665-94a3-db226e1f31a9

Timeline

Publicly Published
2021-12-06 (about 4 years ago)
Added
2021-12-06 (about 4 years ago)
Last Updated
2022-04-11 (about 3 years ago)

Other

Published
Title
Published
2024-11-08
Title
Adventure Bucket List <= 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-09-10
Title
WP Easy FAQs <= 1.0.5 - Authenticated (Author+) Stored Cross-Site Scripting via WP_EASY_FAQ Shortcode
Published
2022-05-09
Title
Team Members < 5.1.1 - Admin+ Stored Cross-Site Scripting
Published
2024-11-18
Title
Youneeq Recommendations <= 3.0.7 - Reflected Cross-Site Scripting
Published
2022-02-21
Title
Multisite Content Copier/Updater < 2.1.2 - Reflected Cross-Site Scripting