Stored Cross-Site Scripting (XSS) in WooCommerce Quick Reports plugin <= 1.0.6

We found a stored XSS vulnerability, which allows an attacker to inject malicious JavaScript on WooCommerce -> Orders page.

This code in woo_quick_report_woocommerce_payment_order( $order_id) function is ran after placing an order:

Here we can create or modify “referral_site” cookie to something like this

and place an order, then this javascript will be ran on WooCommerce -> Orders.

Authenticated stored Cross-site scripting (XSS) in WooCommerce Product Attachment plugin <= 1.1.2

When you save an attachment there’s no sanitization done in order to prevent cross-site scripting. Moreover, there’s no escaping, so user with shop_manager role can inject malicious scripts. Related functions wcpoa_attachment_meta_data() and wcpoa_new_product_tab_content().

It’s also possbile to guess order number and attachment ID to download it. There should be nonce check to prevent this.

Cross-site request forgery (CSRF) and stored Cross-site Scripting (XSS) in WooCommerce Enhanced Ecommerce Analytics Integration with Conversion Tracking plugin <= 1.8

This plugin is vulnerable to a Cross-site request forgery (CSRF) vulnerability. Admin user can be tricked to visit a crafted URL created by an attacker (via spear phishing/social engineering), the attacker can change the plugin settings.

This function wc_tracking_for_google_and_facebook_setting, In file class-woo-ecommerce-tracking-for-google-and-facebook-admin doesn’t do any check against Cross-site request forgery (CSRF) and user capabilities. Also, when the data is printed on front-end (related file: class-woo-ecommerce-tracking-for-google-and-facebook-public.php), there’s no escaping done and stored XSS attack is possible.

Proof Of Concept:

Unauthenticated Settings Change Vulnerability in WooCommerce Category Banner Management plugin <= 1.1.0

In class-woo-banner-management.php, the function wbm_save_shop_page_banner_data is also hooked into ‘wp_ajax_nopriv_’. This means the function can be accessed on the front-end for unauthenticated users. The problem is that the function wbm_save_shop_page_banner_data does not do any checks before beginning to save the settings. So anyone one could change the plugin’s setting by simply sending a request to wbm_save_shop_page_banner_data action. Unauthenticated users can add and modify banners.

$this->loader->add_action(‘wp_ajax_wbm_save_shop_page_banner_data’, $plugin_admin, ‘wbm_save_shop_page_banner_data’);
$this->loader->add_action(‘wp_ajax_nopriv_wbm_save_shop_page_banner_data’, $plugin_admin, ‘wbm_save_shop_page_banner_data’);

Proof Of Concept:

Cross-site request forgery (CSRF) in Woo Checkout for Digital Goods plugin <= 2.1

This plugin is vulnerable to a Cross-site request forgery (CSRF) vulnerability. Admin user can be tricked to visit a crafted URL created by an attacker (via spear phishing/social engineering), the attacker can change the plugin settings.

This function woo_checkout_settings_page, In file class-woo-checkout-for-digital-goods-admin.php doesn’t do any check against Cross-site request forgery (CSRF) and user capabilities.

Proof Of Concept:

SQL Injection in Page Visit Counter plugin <= 4.0.9

There’s no escaping for $page_title = isset($_POST[‘page_name’]) ? $_POST[‘page_name’] : ”; and $page_date = isset($_POST[‘page_date’]) ? $_POST[‘page_date’] : ”; variables in function select_input_page_value function in class-page-visit-counter-admin.php file. In some circumstances, it’s possible to inject malicous SQL.

Stored Cross-Site scripting (XSS) in Mass Pages/Posts Creator plugin <= 1.2.2

We see that any logged in user can launch Mass Pages/Posts creation with custom content. In this file mass-pages-posts-creator.php, this function mpc_ajax_action is hooked in to WordPress AJAX – wp_ajax_mpc_ajax_action and wp_ajax_nopriv_mpc_ajax_action. The thing is, there is no nonce and user capability check, so anyone can DDoS a site and create hundreds of thousands posts with custom content. It was very close for non authenticated user to launch this attack, but the developer made a typo with adding here: wp_ajax_nopriv`_mpc_ajax_action.

Proof Of Concept:

Cross-site request forgery (CSRF) in Eu Cookie Notice plugin <= 1.0.6

This plugin is vulnerable to a Cross-site request forgery (CSRF) vulnerability. Admin user can be tricked to visit a crafted URL created by an attacker (via spear phishing/social engineering), the attacker can change the plugin settings.

Proof Of Concept:

Stored Cross-site scripting (XSS) in Advance Search for WooCommerce plugin <= 1.0.9

This plugin is vulnerable to a stored Cross-site site scriptiong (XSS) vulnerability. A non-authenticated user can save the plugin settings and inject malicious JavaScript code in the Custom CSS textarea field. There are two problems:

$this->loader->add_action(‘wp_ajax_nopriv_Save_advance_search_settings_free’,$plugin_admin, ‘Save_advance_search_settings_free’ );

wp_ajax_nopriv_ hook shouldn’t be used here. It is used to handle AJAX requests on the front-end for unauthenticated users. Now admin settings function is loaded for non-authenticated users. The function does not do any checks before beginning to save the settings, so an attacker can change them.

Proof of Concept:

Cross-site Request Forgery (CSRF) in Add Social Share Messenger Buttons Whatsapp and Viber plugin <= 1.0.8

This plugin is vulnerable to a Cross-site request forgery (CSRF) vulnerability. Admin user can be tricked to visit a crafted URL created by an attacker (via spear phishing/social engineering), the attacker can change the plugin settings. There’s no nonce or role check in whatsapp_share_setting_add_update() function.

Proof Of Concept: