Official Integration for Billingo < 3.4.0 – ShopManager+ Stored XSS | CVE 2022-3420 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users with a role as low as Shop Manager to perform Stored Cross-Site Scripting attacks.

Proof of Concept

Put the following payload in the WooCommerce > Settings > Billingo > E-mail Beállítások > Gomb szöveg field (in the table): "><script>alert(/XSS/)</script>

Affects Plugins

Fixed in 3.4.0

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website

https://lana.codes/

Submitter twitter

Verified

Yes

WPVDB ID

ce5fac6e-8da1-4042-9cf8-7988613f92a5

Timeline

Publicly Published

2022-10-10 (about 3 years ago)

Added

2022-10-10 (about 3 years ago)

Last Updated

2022-10-10 (about 3 years ago)

Other

Published

Title

Published

2024-06-20

Title

Slider by 10Web < 1.2.56 - Editor+ Stored XSS

Published

2023-01-23

Title

Twenty20 Image Before-After <= 2.0.4 - Contributor+ Stored XSS

Published

2025-10-02

Title

Ird Slider <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2019-10-14

Title

WordPress <= 5.2.3 - Stored XSS in Style Tags

Published

2025-04-11

Title

Photo Gallery by 10Web – Mobile-Friendly Image Gallery < 1.8.35 Reflected Cross-Site Scripting via 'image_id' Parameter