WordPress Plugin Vulnerabilities

Woocommerce Customers Manager < 26.6 - Authenticated Reflected Cross-Site Scripting (XSS)

Description

The wccm_customers_ids and wccm_customers_emails parameters are output in href attributes, after being sanitised with the sanitize_text_field() function, which is not appropriate for such case, as payload such as ' injected-attribute=value will still be injected. This lead to a reflected XSS issue in the administrator dashboard when opening a malicious URL

Proof of Concept

Affects Plugins

Plugin icon
woocommerce-customers-manager
Fixed in 26.6

References

URL
https://codecanyon.net/item/woocommerce-customers-manager/10965432
URL
https://blog.wpscan.com/2021/04/08/woocommerce-customers-manager-wordpress-security-vulnerabilities.html

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
ad9dd88c-7ae8-41ac-a0d7-469e146f7817

Timeline

Publicly Published
2021-03-30 (about 4 years ago)
Added
2021-03-30 (about 4 years ago)
Last Updated
2021-04-09 (about 4 years ago)

Other

Published
Title
Published
2024-07-09
Title
WP Ajax Contact Form <= 2.2.2 - Reflected Cross-Site Scripting
Published
2024-04-15
Title
Simple Testimonials Showcase <= 1.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2021-12-07
Title
WP All Import < 3.6.5 - Reflected Cross-Site Scripting
Published
2025-05-07
Title
JupiterX Core < 4.8.12 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-09-11
Title
Spotify Embed Creator <= 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting