WordPress Plugin Vulnerabilities

WOOF - Products Filter for WooCommerce < 1.2.6.3 - Reflected Cross-Site Scripting

Description

The plugin does not sanitise and escape the woof_redraw_elements before outputing back in an admin page, leading to a Reflected Cross-Site Scripting

Proof of Concept

Affects Plugins

Plugin icon
woocommerce-products-filter
Fixed in 1.2.6.3

References

CVE
CVE-2021-25085
URL
https://plugins.trac.wordpress.org/changeset/2648751

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
https://kazet.cc/
Verified
Yes
WPVDB ID
b7dd81c6-6af1-4976-b928-421ca69bfa90

Timeline

Publicly Published
2021-12-28 (about 4 years ago)
Added
2021-12-28 (about 4 years ago)
Last Updated
2022-04-13 (about 3 years ago)

Other

Published
Title
Published
2024-01-18
Title
Fluent Forms < 5.1.7 - Admin+ Stored Cross-Site Scripting via imported form title
Published
2025-10-31
Title
Schema & Structured Data for WP & AMP < 1.52 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-06-05
Title
Themesflat Addons For Elementor < 2.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting in Multiple Widgets
Published
2025-03-21
Title
CryoKey <= 2.4 - Reflected Cross-Site Scripting via 'ckemail' Parameter
Published
2025-02-27
Title
Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons < 26.0.1 - Unauthenticated Stored Cross-Site Scripting