Description The plugin does not escape the custom shipping phone field no the checkout form leading to XSS
PoC
- Install both WooCommerce and the plugin. 2) Set a WooCommerce shipping method, and the store’s address to one that is in Vietnam. 3) Add product to cart, and proceed to checkout 4) Tick “Ship to a different address?” 5) Fill the telephone field with: " onmouseover="alert(1);// An alert box should pop up when an administrator hovers the order’s associated recipient phone number on http://vulnerable-site.tld/wp-admin/post.php?post=$ORDER_ID&action;=edit You can find a video here: https://drive.proton.me/urls/JRWA6XHCR8#6MS36X7Ag78i