Zingiri Web Shop plugin is prone to multiple cross-site scripting vulnerabilities. After the malicious code posted up, Javascrip code inserted to database with “$_POST[‘notes’]” variable. When administrator wants to see list of ordered items list, Javascript codes will come from database and start working on authenticated admin user side.
Update the plugin.
CPE | Name | Operator | Version |
---|---|---|---|
zingiri web shop | le | 2.4.0 |