Automattic: XSS Vulnerability in WooCommerce Product Vendors plugin

2017-07-25T17:07:43
ID H1:253313
Type hackerone
Reporter ramuelgall
Modified 2017-08-22T13:53:00

Description

Version 2.0.27 of the WooCommerce Product Vendors plugin doesn't appear to correctly escape the "vendor description" POST parameter and can be manipulated to reflect arbitrary scripting. The good news is that it does appear to do some form of clientside validation before posting, in addition to some serverside validation later, preventing this from becoming a stored attack. This appears to be due to the fact that "vendor_description" _POST parameter is echoed without being escaped on line 61 of templates/shortcode-registration-form.php

I've created the following vulnerable URL on my personal site; WordPress and all plugins and themes are up to date, and the site is using the default "Storefront" theme. http://steelpress.org/index.php/product-vendor-registration-form/

The unescaped script is visible in the source when you run:

curl -X POST -d "vendor_description=<script>alert("xss")</script>" "https://steelpress.org/index.php/product-vendor-registration-form/?confirm_email=1&email=1&firstname=1&lastname=1&location=1&register=Register&username=1&vendor_description=1&vendor_name=1"