Woocommerce Vietnam Checkout < 2.0.6 - Unauthenticated Stored XSS

Description The plugin does not escape the custom shipping phone field no the checkout form leading to XSS

PoC

1. Install both WooCommerce and the plugin. 2) Set a WooCommerce shipping method, and the store’s address to one that is in Vietnam. 3) Add product to cart, and proceed to checkout 4) Tick “Ship to a different address?” 5) Fill the telephone field with: " onmouseover="alert(1);// An alert box should pop up when an administrator hovers the order’s associated recipient phone number on http://vulnerable-site.tld/wp-admin/post.php?post=$ORDER_ID&amp;action;=edit You can find a video here: https://drive.proton.me/urls/JRWA6XHCR8#6MS36X7Ag78i