WordPress Cart66 Lite plugin version 1.5.4 suffers from a cross site scripting vulnerability.
d55d456da2969e8282ba5b0b286d7eaf4ed8485ce8a79ef1261715e49dd305de
Title: WordPress 'Cart66 Lite :: WordPress Ecommerce' plugin - Reflected XSS
Version: 1.5.4
Author: Morten Nørtoft, Kenneth Jepsen, Mikkel Vej
Date: 2015/01/26
Download: https://wordpress.org/plugins/cart66-lite/
Contacted WordPress: 2015/01/26
================================================================
## Description:
================================================================
Cart66 is a simple to use yet powerful ecommerce plugin for WordPress. Sell digital products
and/or physical products with Cart66. The easiest to use WordPress ecommerce shopping cart plugin.
## Reflected XSS
================================================================
The plugin suffers from a reflected cross site scripting in the file orders.php
which is loaded in /wp4/wp-admin/admin.php?page=cart66_admin by viewing the orders.
The vulnerability can be exploited by tricking a logged in admin to click an URL
## PoC
================================================================
The vulnerable parameter is called "status". The "status" parameter is retrieved from a $_GET['status'] call
But is not further sanitized before printing the variable.
The vulnerability can be exploited using the following link:
/wp4/wp-admin/admin.php?page=cart66_admin&status=</script><script>alert(document.cookie);</script>
## Solution
================================================================
Update to version 1.5.5.