← Advisories

Wordpress WooCommerce Plugin 2.0.17 Cross-Site Scripting Vulnerability

Medium
Advisory ID
ZSL-2013-5156
Release Date
18 October 2013
Vendor
WooThemes - http://www.woothemes.com
Affected Version
2.0.17 and 2.0.14
CVE
N/A
Tested On
Microsoft Windows 7 Ultimate SP1 (EN), Apache 2.4.2 (Win32), PHP 5.4.7, MySQL 5.5.25a
Summary

WooCommerce is an open source e-commerce plugin for WordPress.

Description

The plugin suffers from a XSS issue due to a failure to properly sanitize user-supplied input to the 'hide-wc-extensions-message' parameter in the 'admin/woocommerce-admin-settings.php' script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.

Proof of Concept
woocommerce_xss.txtTXT
Disclosure Timeline
13.10.2013Vulnerability discovered.
17.10.2013Vendor contacted.
17.10.2013Vendor responds asking more details.
17.10.2013Sent details to the vendor.
18.10.2013Vendor releases a patch for this issue that will be included in the 2.0.18 release.
18.10.2013Coordinated public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
Figh hive to teppei
References
[1]https://github.com/woothemes/woocommerce/commit/4b581450480d74667b76d6ba50961d79a6d7a0c1
[2]http://cxsecurity.com/issue/WLB-2013100127
[3]http://packetstormsecurity.com/files/123684
[4]http://www.osvdb.org/show/osvdb/98754
[5]http://www.securityfocus.com/bid/63228
[6]http://wordpress.org/plugins/woocommerce/changelog/
[7]http://wordpress.org/support/topic/cross-site-scripting-vulnerability-warning
[8]http://xforce.iss.net/xforce/xfdb/88169
[9]https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/woocommerce/woocommerce-2017-cross-site-scripting
Changelog
18.10.2013Initial release
21.10.2013Added reference [4] and [5]
22.10.2013Added reference [6] and [7]
27.10.2013Added reference [8]
16.12.2022Added reference [9]