WordPress Plugin Advanced Order Export For WooCommerce 3.1.7 - Reflected Cross-Site Scripting (XSS)

vendor:

Advanced Order Export For WooCommerce

by:

0xB9

6,1

CVSS

MEDIUM

Reflected Cross-Site Scripting (XSS)

CWE

Product Name: Advanced Order Export For WooCommerce

Affected Version From: 3.1.7

Affected Version To: 3.1.7

Patch Exists: YES

Related CWE: CVE-2021-24169

CPE: 2.3:a:wordpress:advanced_order_export_for_woocommerce:3.1.7

Metasploit: N/A

Other Scripts: N/A

Tags: wordpress,authenticated,wpscan,cve,cve2021,xss,wp-plugin,wp,woo-order-export-lite,edb

CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Nuclei References: https://wpscan.com/vulnerability/09681a6c-57b8-4448-982a-fe8d28c87fc3, https://www.exploit-db.com/exploits/50324, https://wordpress.org/plugins/woo-order-export-lite/, https://nvd.nist.gov/vuln/detail/CVE-2021-24169

Nuclei Metadata: {'max-request': 2, 'verified': True, 'framework': 'wordpress', 'vendor': 'algolplus', 'product': 'advanced_order_export'}

Platforms Tested: Windows 10

2021

WordPress Plugin Advanced Order Export For WooCommerce 3.1.7 – Reflected Cross-Site Scripting (XSS)

WordPress Advanced Order Export For WooCommerce plugin before 3.1.8 contains an authenticated cross-site scripting vulnerability via the tab parameter in the admin panel. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Mitigation:

Upgrade to version 3.1.8 or later.

Source

WordPress Plugin Advanced Order Export For WooCommerce 3.1.7 – Reflected Cross-Site Scripting (XSS)

Mitigation:

Exploit-DB raw data: