Description The plugin does not sanitise and escape various parameters before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin Note: The issue was fixed in 1.14.15 but re-introduced in 1.14.16
Make a logged in admin open one of the URL below: http://example.com/wp-admin/admin.php?page=multiparcels-shipping-for-woocommerce&tab;=sender-details&data;[name]='> http://example.com/wp-admin/admin.php?page=multiparcels-shipping-for-woocommerce&tab;=sender-details&errors;[name][][text]=
CPE | Name | Operator | Version |
---|---|---|---|
multiparcels-shipping-for-woocommerce | eq | 1.15.4 |