Stored Cross-site scripting (XSS) in Advance Search for WooCommerce plugin <= 1.0.9

This plugin is vulnerable to a stored Cross-site site scriptiong (XSS) vulnerability. A non-authenticated user can save the plugin settings and inject malicious JavaScript code in the Custom CSS textarea field. There are two problems:

$this->loader->add_action(‘wp_ajax_nopriv_Save_advance_search_settings_free’,$plugin_admin, ‘Save_advance_search_settings_free’ );

wp_ajax_nopriv_ hook shouldn’t be used here. It is used to handle AJAX requests on the front-end for unauthenticated users. Now admin settings function is loaded for non-authenticated users. The function does not do any checks before beginning to save the settings, so an attacker can change them.

Proof of Concept:

Leave a Reply

Your email address will not be published. Required fields are marked *