WordPress Plugin Vulnerabilities

WooCommerce Payments < 6.5.0 - Contributor+ Cross-Site Scripting

Description

The plugin does not validate and escape some of its block attributes before outputting them back in a page/post where the block is rendered, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Affects Plugins

Plugin icon
woocommerce-payments
Fixed in 6.5.0

References

CVE
CVE-2023-49828
URL
https://hackerone.com/reports/2169909
URL
https://patchstack.com/database/vulnerability/woocommerce-payments/wordpress-woopayments-plugin-6-4-2-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
Yes
WPVDB ID
b5f64388-6148-4bc5-a126-476c5ed17bb8

Timeline

Publicly Published
2023-12-05 (about 2 years ago)
Added
2023-12-11 (about 2 years ago)
Last Updated
2023-12-11 (about 2 years ago)

Other

Published
Title
Published
2024-11-28
Title
Cowidgets – Elementor Addons <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-06-19
Title
Modern Footnotes < 1.4.20 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2022-08-01
Title
Social Slider Feed < 2.0.5 - Subscriber+ Arbitrary API Key Update to Stored XSS
Published
2025-01-14
Title
Giga Messenger Bots <= 2.3.1 - Reflected XSS
Published
2024-02-20
Title
3D FlipBook – PDF Flipbook WordPress < 1.15.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Bookmarks