WordPress Plugin Vulnerabilities
Product Addons & Fields for WooCommerce < 32.0.6 - Admin+ Stored Cross-Site Scripting
Description
The plugin does not sanitize and escape some of its setting fields, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup).
Proof of Concept
- Install the plugin (and WooCommerce, which it depends on to do anything useful) - Navigate to WooCommerce -> PPOM Fields - Click on the "Add new group" green button - Fill the "Meta group name", "Control price display on product page" and "Apply for Categories" with gibberish. - Add a field by clicking the "Add field" blue button - Select "Text Input" - Insert <script>alert(1);</script> in the "Title" text field, and save. - You should get an alert box, BUT, we're not done yet. To make the popup appear to other administrators, click on the "Save Fields" button on the bottom right. - Any (super-)administrators visiting http://vulnerable.site/wp-admin/admin.php?page=ppom&productmeta_id=$ID_OF_THE_CREATED_PPOM_GROUP&do_meta=edit will see the alert box. This can be done by a legitimate administrator by clicking on the malicious group's name in http://wpscan-vulnerability-test-bench.ddev.site/wp-admin/admin.php?page=ppom
Affects Plugins
Fixed in 32.0.6 References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Suprit S Pandurangi
Submitter
Suprit S Pandurangi
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-04-24 (about 1 years ago)
Added
2023-04-24 (about 1 years ago)
Last Updated
2023-04-24 (about 1 years ago)
WPScan 