WordPress Plugin Vulnerabilities

Preview E-mails for WooCommerce < 2.0.0 - Reflected Cross-Site Scripting

Description

The plugin is vulnerable to reflected XSS via the search_order parameter found in the ~/views/form.php file.

Proof of Concept

Affects Plugins

Plugin icon
woo-preview-emails
Fixed in 2.0.0

References

CVE
CVE-2021-42363
URL
https://www.wordfence.com/blog/2021/11/woocommerce-extension-reflected-xss-vulnerability/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Chloe Chamberland
Submitter
Chloe Chamberland
Submitter website
https://wordfence.com
Submitter twitter
infosecchloe
Verified
Yes
WPVDB ID
f64eaf2d-b089-41ec-8a26-b19cfb67e435

Timeline

Publicly Published
2021-11-17 (about 4 years ago)
Added
2021-11-17 (about 4 years ago)
Last Updated
2022-04-08 (about 4 years ago)

Other

Published
Title
Published
2024-08-07
Title
ComboBlocks < 2.2.87 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2011-11-20
Title
WP-Cumulus - Cross Site Scripting Vulnerabily
Published
2024-11-04
Title
ElementsReady Addons for Elementor < 6.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-03-27
Title
Audio Album < 1.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-11-08
Title
Mapme <= 1.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting