Product Addons & Fields for WooCommerce < 32.0.6 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitize and escape some of its setting fields, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup).

PoC

- Install the plugin (and WooCommerce, which it depends on to do anything useful) - Navigate to WooCommerce -> PPOM Fields - Click on the “Add new group” green button - Fill the “Meta group name”, “Control price display on product page” and “Apply for Categories” with gibberish. - Add a field by clicking the “Add field” blue button - Select “Text Input” - Insert in the “Title” text field, and save. - You should get an alert box, BUT, we’re not done yet. To make the popup appear to other administrators, click on the “Save Fields” button on the bottom right. - Any (super-)administrators visiting http://vulnerable.site/wp-admin/admin.php?page=ppom&amp;productmeta;_id=$ID_OF_THE_CREATED_PPOM_GROUP&amp;do;_meta=edit will see the alert box. This can be done by a legitimate administrator by clicking on the malicious group’s name in http://wpscan-vulnerability-test-bench.ddev.site/wp-admin/admin.php?page=ppom