WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Abandoned Cart Lite for WooCommerce < 5.2.0 - Unauthenticated Stored Cross-Site Scripting (XSS)

Description

The save_data() AJAX call, used by unauthenticated users, such as guest during the checkout process, does not sanitise or validate user input (for example billing_first_name, billing_last_name, and billing_company fields). This leads to a Stored Cross-Site Scripting issue which will be triggered in the admin dashboard.

Affects Plugins

woocommerce-abandoned-cart
Fixed in version 5.2.0
woocommerce-abandoned-cart-pro
Fixed in version 5.2.0

References

URL
https://www.wordfence.com/blog/2019/03/xss-flaw-in-abandoned-cart-plugin-leads-to-wordpress-site-takeovers/
URL
https://plugins.trac.wordpress.org/changeset/2033212/woocommerce-abandoned-cart

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Submitter

Ryan Dewhurst

Submitter twitter
ethicalhack3r
Verified

No

WPVDB ID
915420b1-f476-481e-9b11-b736a7cfdda7

Timeline

Publicly Published

2019-03-11 (about 4 years ago)

Added

2019-03-11 (about 4 years ago)

Last Updated

2020-11-08 (about 2 years ago)

Our Other Services

WPScan WordPress Security Plugin