WordPress Plugin Vulnerabilities

SW Ajax WooCommerce Search < 1.2.8 - Unauthenticated Reflected XSS & XFS

Description

An Unauthenticated Reflected XSS & XFS vulnerabilities were discovered in the SW Ajax WooCommerce Search plugin v1.2.6 for WordPress.

The plugin comes with a number of commercial themes such as: OneMall, Revo, eMarket, Autusin, Market, MaxShop, ShoppyStore, Furnicom, EtroStore, HiTheme, StyleShop, TopDeal, Victo, Avesa, Soaz, Binace, Houskit, Gaion, Furniki, Rozy, SecretSho, BosMarket, Siezz, HiStore, Ecomart, iMarket, NeoMarket, 9Merry, LeVogue, Floris, Alishop, KONStore, ShopyMall, DresShop, Shop4U, FurniHome, Tech8 and the vendor is releasing new versions with the updated plugin in them.

Proof of Concept

Affects Plugins

Plugin icon
sw_ajax_woocommerce_search
Fixed in 1.2.8

References

URL
https://ex-mi.ru/exploit/[2020-10-21]-[WordPress]-sw-ajax-woocommerce-search-plugin-v1.2.6.txt
URL
https://wpthemego.com/document/documentation-for-sw-ajax-woocommerce-search/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Ex.Mi
Submitter
Ex.Mi
Submitter website
https://ex-mi.ru
Verified
Yes
WPVDB ID
ba026213-b607-4aaf-8a9d-8e41fc1a3a70

Timeline

Publicly Published
2020-10-30 (about 5 years ago)
Added
2020-10-30 (about 5 years ago)
Last Updated
2020-11-03 (about 5 years ago)

Other

Published
Title
Published
2025-09-22
Title
Genesis Club Lite <= 1.17 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-07-15
Title
Brandfolder < 5.0.20 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter
Published
2025-04-03
Title
CF7 Spreadsheets <= 2.3.2 - Reflected Cross-Site Scripting
Published
2022-11-03
Title
Google Forms <= 0.95 - Admin+ Stored XSS
Published
2025-11-24
Title
ZWeb - Social Mobile <= 1.0.0 - Authenticated (Admin+) Stored Cross-Site Scripting