WordPress Plugin Vulnerabilities

Product Feed PRO for WooCommerce < 11.0.7 - Subscriber+ Settings Update to Stored XSS

Description

The plugin does not have authorisation and CSRF check in some of its AJAX actions, allowing any authenticated users to call then, which could lead to Stored Cross-Site Scripting issue (which will be triggered in the admin dashboard) due to the lack of escaping.

v10.9.1 added a CSRF check, however authorisation was still missing until 11.0.7

Proof of Concept

Affects Plugins

Plugin icon
woo-product-feed-pro
Fixed in 11.0.7

References

CVE
CVE-2021-24974

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.0 (high)

Miscellaneous

Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
https://kazet.cc/
Verified
Yes
WPVDB ID
8ed549fe-7d27-4a7a-b226-c20252964b29

Timeline

Publicly Published
2021-12-23 (about 4 years ago)
Added
2021-12-23 (about 4 years ago)
Last Updated
2022-04-10 (about 3 years ago)

Other

Published
Title
Published
2023-10-20
Title
Carousel, Recent Post Slider and Banner Slider < 2.1 - Contributor+ Stored Cross-Site Scripting
Published
2024-11-08
Title
Pull This <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-04-09
Title
Aria Font <= 1.4 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2025-11-20
Title
Display Pages Shortcode <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2021-09-20
Title
Tutor LMS < 1.9.9 - Multiple Admin+ Stored Cross-Site Scripting