Advisory:

Reflected XSS in WooCommerce allows attackers ability to do almost anything an admin user can do

Vulnerability

Last revised:

An attacker able to convince a logged-in admin user to visit a link of their choosing (for instance via spearphishing) can execute arbitrary JavaScript within the admin’s browser which could cause it to delete all posts, create new admin users, or leverage other functionality accessible only to admins.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 6.8 Medium
Vector Network
Complexity Medium
Authentication None
Confidentiality Partial
Integrity Partial
Availability Partial
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

If a logged-in administrator visits the following url, a javascript alert will display on in the admin screen:

http://localhost/wp-admin/admin.php?page=wc-reports&range=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E

Note that this will not work in a browser with reflected XSS prevention (e.g. Google Chrome)

Advisory timeline

  • 2014-08-28: Discovered
  • 2014-09-15: Reported to Vendor by email
  • 2014-09-15: Requested CVE
  • 2014-09-16: Vendor responded
  • 2014-09-16: Fixed version released
  • 2014-09-17: Published

Mitigation/further actions

Upgrade to version 2.2.3 or later