WordPress Plugin Vulnerabilities

WooCommerce Amazon Pay 2.0.0 - Reflected Cross-Site Scripting

Description

The plugin does not properly sanitise the URLs generated in the actions buttons of the Amazon Pay meta box in the admin dashboard when viewing an order paid via Amazon Pay

Proof of Concept

https://example.com/wp-admin/post.php?post=796&action=edit&%22%3E%3Cscript%3Ealert(/XSS/)%3C/script%3E

Affects Plugins

Plugin icon
woocommerce-gateway-amazon-payments-advanced
Fixed in 2.0.1

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
WPScanTeam
Verified
Yes
WPVDB ID
e188dbc7-5660-4252-8089-2cf89c9d0809

Timeline

Publicly Published
2021-05-14 (about 3 years ago)
Added
2022-06-07 (about 1 years ago)
Last Updated
2022-06-07 (about 1 years ago)

Other

Published
Title
Published
2014-08-01
Title
WP SlimStat 2.8.4 - wp-content/plugins/wp-slimstat/admin/view/panel1.php s Parameter XSS
Published
2016-07-26
Title
ColorWay < 3.4.2 - Cross-Site Scripting (XSS)
Published
2023-06-16
Title
wpView <= 1.3.0 - Admin+ Stored XSS
Published
2022-01-06
Title
WordPress < 5.8.3 - Author+ Stored XSS via Post Slugs
Published
2023-02-24
Title
All in One SEO Pack < 4.3.0 - Admin+ Stored XSS