Stored Cross-Site Scripting (XSS) in WooCommerce Quick Reports plugin <= 1.0.6

We found a stored XSS vulnerability, which allows an attacker to inject malicious JavaScript on WooCommerce -> Orders page.

This code in woo_quick_report_woocommerce_payment_order( $order_id) function is ran after placing an order:

Here we can create or modify “referral_site” cookie to something like this

and place an order, then this javascript will be ran on WooCommerce -> Orders.

Leave a Reply

Your email address will not be published. Required fields are marked *