Skip to content
GitLab
Closed
Issue created by Bastien Ho@bastienho👽Owner

Reflected Cross-Site Scripting

​Hello,

​We have a new vulnerability to responsibly disclose to you, and the details are outlined below.

Please note that this issue was discovered and responsibly reported to us by vgo0. Any credit for the discovery of the vulnerability should be granted to them.

  • Vulnerability Title: Accounting for WooCommerce <= 1.6.6 - Reflected Cross-Site Scripting
  • CVE ID: CVE-2024-11324
  • CVSS Severity Score: 6.1 (Medium)
  • CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • Organization: Wordfence
  • Vulnerability Researcher(s): vgo0
  • Software Link(s): https://wordpress.org/plugins/accounting-for-woocommerce

Description

The Accounting for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.6.6. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Proof of Concept

  1. Install plugin
  2. Visit URL: http://localhost/wp-admin/admin.php?page=woocommerce_accounting_exporter&"><script>alert("Hello Wordfence")</script>

views/export.php

46┆ <a href="<?php echo add_query_arg('format', $name); ?>" class="nav-tab ">

Any Known Public References

https://plugins.trac.wordpress.org/browser/accounting-for-woocommerce/tags/stable/views/export.php#L46

Recommended Solution

We recommend using one of the built-in WordPress sanitization and/or escaping functions before saving user input data to the database and when displaying it on output. You can read more about the sanitization and escaping functions that WordPress has available at: https://developer.wordpress.org/apis/security/sanitizing/ & https://developer.wordpress.org/apis/security/escaping/

As per our standard disclosure process, we may notify our customers and the general public about this vulnerability according to the timeline outlined here: https://www.wordfence.com/security/. We may confidentially notify interested parties both inside and outside our organization before the announcement date. To avoid an accelerated disclosure timeline, please acknowledge receipt of this report within 14 days.

You should be aware that other researchers may independently discover this vulnerability and announce it prematurely. You should also note that this vulnerability may be exploited in the wild already. For these reasons we encourage you to release a fix as soon as possible to help protect your customers.

As a courtesy we ask that you notify us as soon as you release a fix to your customers. Please let me know if you have any questions.

Edited by Bastien Ho