Woocommerce Vietnam Checkout < 2.0.6 – Unauthenticated Stored XSS | CVE 2023-5325 | Plugin Vulnerabilities

Description

The plugin does not escape the custom shipping phone field no the checkout form leading to XSS

Proof of Concept

1) Install both WooCommerce and the plugin.
2) Set a WooCommerce shipping method, and the store's address to one that is in Vietnam.
3) Add product to cart, and proceed to checkout
4) Tick "Ship to a different address?"
5) Fill the telephone field with:

" onmouseover="alert(1);//


An alert box should pop up when an administrator hovers the order's associated recipient phone number on http://vulnerable-site.tld/wp-admin/post.php?post=$ORDER_ID&action=edit

You can find a video here:

https://drive.proton.me/urls/JRWA6XHCR8#6MS36X7Ag78i

Affects Plugins

woo-vietnam-checkout

Fixed in 2.0.6

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

dc11

Submitter

dc11

Verified

Yes

WPVDB ID

e93841ef-e113-41d3-9fa1-b21af85bd812

Timeline

Publicly Published

2023-11-06 (about 2 years ago)

Added

2023-11-06 (about 2 years ago)

Last Updated

2023-11-06 (about 2 years ago)

Other

Published

Title

Published

2025-01-16

Title

Quote me <= 1.0 - Reflected Cross-Site Scripting

Published

2025-03-03

Title

WP Tabs < 2.2.7 - Admin+ Stored XSS

Published

2021-07-21

Title

Charitable - Donation Plugin < 1.6.51 - Unauthenticated Stored Cross-Site Scripting

Published

2025-07-03

Title

Easy restaurant menu manager < 2.0.2 - Authenticated (Contributot+) Stored Cross-Site Scripting via `nsc_eprm_menu_link` Shortcode

Published

2024-11-08

Title

PF Timer <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting