XSS in popular WooCommerce Product Vendors plugin

 

The popular WooCommerce WordPress plugin, used by 28 percent of all online stores, was just patched against a reflected cross-site scripting vulnerability (XSS).

The vulnerability was found by the company SiteLock.

The plugin vulnerability was disclosed to Automattic, the owner of, via its HackerOne security bounty program.

The fix for the vulnerability was released on July 28th and if you use WPScans.com you can scan for this vulnerability or use our premium version and get an E-mail warning.

The vulnerability can be tested with:

curl -X POST -d "vendor_description=<script>alert("xss")</script>" "https://steelpress.org/index.php/product-vendor-registration-form/?confirm_email=1&email=1&firstname=1&lastname=1&location=1&register=Register&username=1&vendor_description=1&vendor_name=

1 thought on “XSS in popular WooCommerce Product Vendors plugin”

  1. curl -X POST -d “vendor_description=alert(“xss”)” “https://steelpress.org/index.php/product-vendor-registration-form/?confirm_email=1&email=1&firstname=1&lastname=1&location=1&register=Register&username=1&vendor_description=1&vendor_name=

Leave a Comment

Your email address will not be published. Required fields are marked *