WordPress Plugin Vulnerabilities

Product Addons & Fields for WooCommerce < 32.0.6 - Admin+ Stored Cross-Site Scripting

Description

The plugin does not sanitize and escape some of its setting fields, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup).

Proof of Concept

Affects Plugins

Plugin icon
woocommerce-product-addon
Fixed in 32.0.6

References

CVE
CVE-2023-1839

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Suprit S Pandurangi
Submitter
Suprit S Pandurangi
Submitter website
https://www.linkedin.com/in/suprit-pandurangi-a90526106/
Submitter twitter
Suprit2002
Verified
Yes
WPVDB ID
fddc5a1c-f267-4ef4-8acf-731dbecac450

Timeline

Publicly Published
2023-04-24 (about 2 years ago)
Added
2023-04-24 (about 2 years ago)
Last Updated
2023-04-24 (about 2 years ago)

Other

Published
Title
Published
2025-09-23
Title
WorkScout-Core < 1.7.06 - Reflected Cross-Site Scripting
Published
2023-12-26
Title
HT Mega < 2.3.9 - Reflected Cross-Site Scripting
Published
2022-12-01
Title
Afterpay Gateway for WooCommerce < 3.5.1 - Reflected Cross-Site Scripting
Published
2018-10-26
Title
Elementor Pro < 2.0.10 - XSS
Published
2015-08-24
Title
Googmonify <= 0.5.1 - CSRF & XSS