Title: Wordpress WooCommerce Plugin 2.0.17 Cross-Site Scripting Vulnerability
Advisory ID: ZSL-2013-5156
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 18.10.2013

Summary

WooCommerce is an open source e-commerce plugin for WordPress.

Description

The plugin suffers from a XSS issue due to a failure to properly sanitize user-supplied input to the 'hide-wc-extensions-message' parameter in the 'admin/woocommerce-admin-settings.php' script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.

Vendor

WooThemes - http://www.woothemes.com

Affected Version

2.0.17 and 2.0.14

Tested On

Microsoft Windows 7 Ultimate SP1 (EN)
Apache 2.4.2 (Win32)
PHP 5.4.7
MySQL 5.5.25a

Vendor Status

[13.10.2013] Vulnerability discovered.
[17.10.2013] Vendor contacted.
[17.10.2013] Vendor responds asking more details.
[17.10.2013] Sent details to the vendor.
[18.10.2013] Vendor releases a patch for this issue that will be included in the 2.0.18 release.
[18.10.2013] Coordinated public security advisory released.

PoC

woocommerce_xss.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
Figh hive to teppei

References

[1] https://github.com/woothemes/woocommerce/commit/4b581450480d74667b76d6ba50961d79a6d7a0c1
[2] http://cxsecurity.com/issue/WLB-2013100127
[3] http://packetstormsecurity.com/files/123684
[4] http://www.osvdb.org/show/osvdb/98754
[5] http://www.securityfocus.com/bid/63228
[6] http://wordpress.org/plugins/woocommerce/changelog/
[7] http://wordpress.org/support/topic/cross-site-scripting-vulnerability-warning
[8] http://xforce.iss.net/xforce/xfdb/88169

Changelog

[18.10.2013] - Initial release
[21.10.2013] - Added reference [4] and [5]
[22.10.2013] - Added reference [6] and [7]
[27.10.2013] - Added reference [8]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk