CVSS Summary
| Score | 6.8 Medium |
|---|---|
| Vector | Network |
| Complexity | Medium |
| Authentication | None |
| Confidentiality | Partial |
| Integrity | Partial |
| Availability | Partial |
Advisory:
Reflected XSS in WooCommerce allows attackers ability to do almost anything an admin user can do
Vulnerability
Last revised:
An attacker able to convince a logged-in admin user to visit a link of their choosing (for instance via spearphishing) can execute arbitrary JavaScript within the admin’s browser which could cause it to delete all posts, create new admin users, or leverage other functionality accessible only to admins.
Current state: Fixed
Proof of concept
If a logged-in administrator visits the following url, a javascript alert will display on in the admin screen:
http://localhost/wp-admin/admin.php?page=wc-reports&range=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
Note that this will not work in a browser with reflected XSS prevention (e.g. Google Chrome)
Advisory timeline
- 2014-08-28: Discovered
- 2014-09-15: Reported to Vendor by email
- 2014-09-15: Requested CVE
- 2014-09-16: Vendor responded
- 2014-09-16: Fixed version released
- 2014-09-17: Published
Mitigation/further actions
Upgrade to version 2.2.3 or later