WordPress Plugin Vulnerabilities

WooCommerce Follow-Up Emails < 4.9.50 - Unauthenticated Reflected XSS

Description

The plugin does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admin.

Affects Plugins

Plugin icon
woocommerce-follow-up-emails
Fixed in 4.9.50

References

CVE
CVE-2023-33319
URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/woocommerce-follow-up-emails/woocommerce-follow-up-emails-4940-reflected-cross-site-scripting
URL
https://patchstack.com/database/vulnerability/woocommerce-follow-up-emails/wordpress-woocommerce-follow-up-emails-plugin-4-9-40-reflected-cross-site-scripting-xss-vulnerability

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
e6c8015d-1a06-4121-9ef6-d555f3432a2e

Timeline

Publicly Published
2023-05-22 (about 2 years ago)
Added
2023-05-29 (about 2 years ago)
Last Updated
2023-05-29 (about 2 years ago)

Other

Published
Title
Published
2023-07-20
Title
Borderless < 1.4.9 - Admin+ Stored XSS
Published
2025-04-15
Title
User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor < 3.13.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2025-07-23
Title
WP Get The Table < 1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter
Published
2014-08-01
Title
Recommend a friend 2.0.2 - inc/raf_form.php current_url Parameter Reflected XSS
Published
2024-12-04
Title
Blocksy < 2.0.78 - Authenticated (Contributor+) Stored Cross-Site Scripting