The other day while looking for information on a vulnerability possibly related to a plugin that exports order information from WooCommerce we ran across a report of an unrelated possible vulnerability in the plugin WooCommerce Order Export and More from php-grindr.
That report pointed to the value of the GET or POST input “tab” being set to value of the variable $tab in the file /order-export-and-more-for-woocommerce/inc/jem-exporter.php:
$tab = $_REQUEST['tab'];
Where it isn’t sanitized.
The value is included in the variable $html on line 295:
$html = ' <div class="hidden" style="display: none;" id="current-tab">' . $tab . '</div>
And then that is output without being escaped:
Checking over the rest of the code between those items made it look like there wasn’t anything else that would restrict that from being a reflected cross-site scripting (XSS) vulnerability. A quick test confirmed that it is exploited, as shown in the proof of concept below. This type of vulnerability has almost no chance of being exploited on the average website, unless you were to believe the misinformation put out by other security companies.
The values of the GET or POST inputs “sub-tab” and “entity” are similar exploitable.
Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. Hopefully they will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon).
Proof of Concept
The following proof of concept will cause any available cookies to be shown in alert box when logged in to WordPress as a user that has the “manage_woocommerce” capability. Major web browsers other than Firefox provide XSS filtering, so this proof of concept will not work in those web browsers.
Make sure to replace “[path to WordPress]” with the location of WordPress.
http://[path to WordPress]/wp-admin/admin.php?page=JEM_EXPORT_MENU&tab=""><script>alert(document.cookie);</script>