Authenticated stored Cross-site scripting (XSS) in WooCommerce Product Attachment plugin <= 1.1.2

When you save an attachment there’s no sanitization done in order to prevent cross-site scripting. Moreover, there’s no escaping, so user with shop_manager role can inject malicious scripts. Related functions wcpoa_attachment_meta_data() and wcpoa_new_product_tab_content().

It’s also possbile to guess order number and attachment ID to download it. There should be nonce check to prevent this.

Leave a Reply

Your email address will not be published. Required fields are marked *