Title: WordPress 'Cart66 Lite :: WordPress Ecommerce' plugin - Reflected XSS Version: 1.5.4 Author: Morten N?rtoft, Kenneth Jepsen, Mikkel Vej Date: 2015/01/26 Download: https://wordpress.org/plugins/cart66-lite/ Contacted WordPress: 2015/01/26 ================================================================ ## Description: ================================================================ Cart66 is a simple to use yet powerful ecommerce plugin for WordPress. Sell digital products and/or physical products with Cart66. The easiest to use WordPress ecommerce shopping cart plugin. ## Reflected XSS ================================================================ The plugin suffers from a reflected cross site scripting in the file orders.php which is loaded in /wp4/wp-admin/admin.php?page=cart66_admin by viewing the orders. The vulnerability can be exploited by tricking a logged in admin to click an URL ## PoC ================================================================ The vulnerable parameter is called "status". The "status" parameter is retrieved from a $_GET['status'] call But is not further sanitized before printing the variable. The vulnerability can be exploited using the following link: /wp4/wp-admin/admin.php?page=cart66_admin&status=</script><script>alert(document.cookie);</script> ## Solution ================================================================ Update to version 1.5.5.