Stored Cross-Site Scripting (XSS) in WooCommerce Quick Reports plugin <= 1.0.6

We found a stored XSS vulnerability, which allows an attacker to inject malicious JavaScript on WooCommerce -> Orders page.

This code in woo_quick_report_woocommerce_payment_order( $order_id) function is ran after placing an order:

Here we can create or modify “referral_site” cookie to something like this

and place an order, then this javascript will be ran on WooCommerce -> Orders.

Authenticated stored Cross-site scripting (XSS) in WooCommerce Product Attachment plugin <= 1.1.2

When you save an attachment there’s no sanitization done in order to prevent cross-site scripting. Moreover, there’s no escaping, so user with shop_manager role can inject malicious scripts. Related functions wcpoa_attachment_meta_data() and wcpoa_new_product_tab_content().

It’s also possbile to guess order number and attachment ID to download it. There should be nonce check to prevent this.

Cross-site request forgery (CSRF) and stored Cross-site Scripting (XSS) in WooCommerce Enhanced Ecommerce Analytics Integration with Conversion Tracking plugin <= 1.8

This plugin is vulnerable to a Cross-site request forgery (CSRF) vulnerability. Admin user can be tricked to visit a crafted URL created by an attacker (via spear phishing/social engineering), the attacker can change the plugin settings.

This function wc_tracking_for_google_and_facebook_setting, In file class-woo-ecommerce-tracking-for-google-and-facebook-admin doesn’t do any check against Cross-site request forgery (CSRF) and user capabilities. Also, when the data is printed on front-end (related file: class-woo-ecommerce-tracking-for-google-and-facebook-public.php), there’s no escaping done and stored XSS attack is possible.

Proof Of Concept:

Stored Cross-Site scripting (XSS) in Mass Pages/Posts Creator plugin <= 1.2.2

We see that any logged in user can launch Mass Pages/Posts creation with custom content. In this file mass-pages-posts-creator.php, this function mpc_ajax_action is hooked in to WordPress AJAX – wp_ajax_mpc_ajax_action and wp_ajax_nopriv_mpc_ajax_action. The thing is, there is no nonce and user capability check, so anyone can DDoS a site and create hundreds of thousands posts with custom content. It was very close for non authenticated user to launch this attack, but the developer made a typo with adding here: wp_ajax_nopriv`_mpc_ajax_action.

Proof Of Concept:

Stored Cross-site scripting (XSS) in Advance Search for WooCommerce plugin <= 1.0.9

This plugin is vulnerable to a stored Cross-site site scriptiong (XSS) vulnerability. A non-authenticated user can save the plugin settings and inject malicious JavaScript code in the Custom CSS textarea field. There are two problems:

$this->loader->add_action(‘wp_ajax_nopriv_Save_advance_search_settings_free’,$plugin_admin, ‘Save_advance_search_settings_free’ );

wp_ajax_nopriv_ hook shouldn’t be used here. It is used to handle AJAX requests on the front-end for unauthenticated users. Now admin settings function is loaded for non-authenticated users. The function does not do any checks before beginning to save the settings, so an attacker can change them.

Proof of Concept: