XSS in popular WooCommerce Product Vendors plugin


The popular WooCommerce WordPress plugin, used by 28 percent of all online stores, was just patched against a reflected cross-site scripting vulnerability (XSS).

The vulnerability was found by the company SiteLock.

The plugin vulnerability was disclosed to Automattic, the owner of, via its HackerOne security bounty program.

The fix for the vulnerability was released on July 28th and if you use WPScans.com you can scan for this vulnerability or use our premium version and get an E-mail warning.

The vulnerability can be tested with:

curl -X POST -d "vendor_description=<script>alert("xss")</script>" "https://steelpress.org/index.php/product-vendor-registration-form/?confirm_email=1&email=1&firstname=1&lastname=1&location=1&register=Register&username=1&vendor_description=1&vendor_name=

2 thoughts on “XSS in popular WooCommerce Product Vendors plugin”

  1. curl -X POST -d “vendor_description=alert(“xss”)” “https://steelpress.org/index.php/product-vendor-registration-form/?confirm_email=1&email=1&firstname=1&lastname=1&location=1&register=Register&username=1&vendor_description=1&vendor_name=

  2. Pingback: WordPress Vulnerabilities: Top 4 Security Threats in 2021- WPSec

Leave a Comment

Your email address will not be published. Required fields are marked *