[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 4 May 2020 12:29:51 +0000
From: Jack Misiura via Fulldisclosure <fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] Reflected XSS in WordPress - WooCommerce - Advanced Order
Export 3.1.3 plugin disclosure
Title: Reflected XSS
Product: WordPress WooCommerce - Advanced Order Export plugin.
Vendor Homepage: https://algolplus.com/plugins/downloads/advanced-order-export-for-woocommerce-pro/
Vulnerable Version: 3.1.3
Fixed Version: 3.1.4
CVE Number: CVE-2020-11727
Author: Jack Misiura from The Missing Link
Website: https://www.themissinglink.com.au
Timeline:
2020-04-08 Disclosed to Vendor
2020-04-08 Vendor sends fix for testing
2020-04-09 Fix confirmed
2020-04-28 Vendor publishes fix
2020-05-04 Publication
1. Vulnerability Description
The WordPress Advanced Order Export WooCommerce plugin does not sanitise the woe_post_type parameter which can be passed through in the URL, allowing for HTML or JavaScript injection.
2. PoC
On a WordPress installation with WooCommerce and a vulnerable Advanced Order Export plugin, issue the following request while logged in as Administrator:
https://wp-site/wp-admin/admin.php?page=wc-order-export&tab=export&woe_post_type=%22%3E%3Cscript%3Ealert(1);#segment=common
3. Solution
The vendor provides an updated version (3.1.4) which should be installed immediately.
4. Advisory URL
https://www.themissinglink.com.au/security-advisories
Jack Misiura
Application Security Consultant
a
9‑11 Dickson Avenue
Artarmon
NSW
2064
p
1300 865 865
os
+61 2 8436 8585
w
<https://www.themissinglink.com.au/> themissinglink.com.au
<https://www.linkedin.com/company/the-missing-link-network-integration-pty-ltd/>
<https://www.facebook.com/The-Missing-Link-268395013346228/?ref=bookmarks>
<https://twitter.com/TML_au>
<https://www.youtube.com/channel/UC2kd4mDmBs3SjW4lX3fFHnQ>
<https://www.instagram.com/the_missing_link_it/>
<https://www.themissinglink.com.au/robotic-process-automation>
CAUTION - This message may contain privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby notified that any use, dissemination, distribution or reproduction of this message is prohibited. If you have received this message in error please notify The Missing Link immediately. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of The Missing Link.
Download attachment "image001.png" of type "image/png" (16959 bytes)
Download attachment "image002.png" of type "image/png" (4195 bytes)
Download attachment "image003.png" of type "image/png" (4210 bytes)
Download attachment "image004.png" of type "image/png" (4248 bytes)
Download attachment "image005.png" of type "image/png" (4249 bytes)
Download attachment "image006.png" of type "image/png" (4340 bytes)
Download attachment "image007.jpg" of type "image/jpeg" (24132 bytes)
Download attachment "smime.p7s" of type "application/pkcs7-signature" (4928 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists