what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Preview E-mails For WooCommerce 1.6.8 Cross Site Scripting

WordPress Preview E-mails For WooCommerce 1.6.8 Cross Site Scripting
Posted Nov 18, 2021
Authored by Chloe Chamberland | Site wordfence.com

WordPress Preview E-mails for WooCommerce plugin versions 1.6.8 and below suffer from a cross site scripting vulnerability.

tags | advisory, xss
advisories | CVE-2021-42363
SHA-256 | 01bd24243549cbbdb29bc5e55a2d15d7d611dfff811a5a470702cdad4370055b

WordPress Preview E-mails For WooCommerce 1.6.8 Cross Site Scripting

Change Mirror Download
Description: Reflected Cross-Site Scripting

Affected Plugin: Preview E-mails for WooCommerce

Plugin Slug: woo-preview-emails

Affected Versions: <= 1.6.8

CVE ID: CVE-2021-42363

CVSS Score: 6.1 (Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Researcher/s: Chloe Chamberland

Fully Patched Version: 2.0.0

Preview E-mails for WooCommerce is a simple plugin designed to give site owners the ability to preview the emails that are sent to customers via WooCommerce. Unfortunately, the plugin had a flaw that made it possible for attackers to inject malicious web scripts into the `digthis-woocommerce-preview-emails` page.

As part of the plugin’s functionality, there is a feature to search orders and to generate an email preview based upon a specific order, so that an administrator or shop manager can see exactly what a specific user sees for the emails that get sent out. Unfortunately, the search_orders parameter, used to conduct the search, was reflected to the page and had no input sanitization or escaping upon output which made it possible for users to supply arbitrary scripts that would execute in the browser when the page was accessed with the payload set in the search_orders parameter.

This meant that if an attacker could successfully convince a site administrator to click on a link, they could get malicious JavaScript to execute in that administrator’s browser. This script could be crafted to inject a new administrative user or even modify a plugin or theme file to include a backdoor which in turn would grant the attacker the ability to completely take over the site.

Timeline

November 1, 2021 – Conclusion of the plugin analysis that led to the discovery of a Reflected Cross-Site Scripting Vulnerability in the Preview E-mails for WooCommerce plugin. We validate that the Wordfence Firewall provides complete protection. We initiate contact with the developer.

November 3, 2021 – The developer confirms the inbox for handling the discussion.

November 4, 2021 – We send over the full disclosure details.

October 8, 2021 – A fully patched version of the plugin is released as version 2.0.0.

Conclusion

In today’s post, we detailed a flaw in the Preview E-mails for WooCommerce plugin that made it possible for attackers to inject malicious web scripts into a page that would execute if an attacker successfully tricked a site administrator into performing an action. This flaw has been fully patched in version 2.0.0.

We recommend that WordPress users immediately verify that their site has been updated to the latest patched version available, which is version 2.0.1 at the time of this publication.

Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    12 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    18 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close