WooCommerce Products Table < 1.0.4 – Reflected Cross-Site Scripting

Description

The plugin does not sanitise or escape some parameters before outputting them back in pages, leading to Reflected Cross-Site Scripting issues

Proof of Concept

https://example.com/?woot-remote-page=<script>alert(/XSS-page/)</script>&anchor=1&width=<script>alert(/XSS-width/)</script>
https://example.com/?woot-remote-page=1&anchor=1&arbitrary=<img src=x onerror=alert(`XSS-arbitary`)>

Affects Plugins

profit-products-tables-for-woocommerce

Fixed in 1.0.4

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

6.1 (medium)

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

e4e36ba0-b0be-41bd-8779-dedbc49f3718

Timeline

Publicly Published

2021-10-12 (about 4 years ago)

Added

2021-10-12 (about 4 years ago)

Last Updated

2021-10-12 (about 4 years ago)

Other

Published

Title

Published

2023-01-24

Title

Watu Quiz < 3.3.8.3 - Admin+ Stored XSS

Published

2025-08-22

Title

tli.tl auto Twitter poster <= 3.4 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2024-11-08

Title

IA Map Analytics Basic <= 20170413 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2014-09-20

Title

VideoWhisper Video Presentation 3.25 - vp/c_login.php room_name Parameter Reflected XSS

Published

2023-07-12

Title

Art Direction <= 0.2.4 - Contributor+ Stored XSS