WordPress Plugin Vulnerabilities

WooCommerce Conversion Tracking < 2.0.5 - CSRF to XSS

Description

The settings page of the plugin is lacking CSRF checks as well as input sanitisation, leading to stored XSS.

Proof of Concept

Affects Plugins

Plugin icon
woocommerce-conversion-tracking
Fixed in 2.0.5

References

URL
https://plugins.trac.wordpress.org/changeset/2220764

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Verified
No
WPVDB ID
9a7974ae-dd74-4fc9-a261-ea1429771de9

Timeline

Publicly Published
2020-01-03 (about 6 years ago)
Added
2020-01-03 (about 6 years ago)
Last Updated
2020-01-03 (about 6 years ago)

Other

Published
Title
Published
2025-01-24
Title
AI Chatbot for WordPress – Hyve Lite < 1.2.3 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2023-01-18
Title
TemplatesNext ToolKit < 3.2.9 - Contributor+ Stored XSS
Published
2024-12-11
Title
Advanced Blog Post Block <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2021-06-17
Title
YOP Poll < 6.2.8 - Unauthenticated Stored Cross-Site Scripting
Published
2025-08-06
Title
Pets <= 1.4.1 - Reflected Cross-Site Scripting