The plugin AdRoll for WooCommerce Stores was closed on the Plugin Directory two days ago. Earlier today a new version of the plugin was submitted with the changelog “Security update”. Looking at the changes made in the new version we found that a reflected cross-site scripting (XSS) vulnerability, which has been at least partially fixed.

In the function adroll_adv_eid_callback() the value of the GET input “adv” was previously being output without being sanitized or escaped:

152
153
154
155

public function adroll_adv_eid_callback() {
	// Render input for the adroll advertisable eid field in the config page
	$val = $_GET['adv'];
	echo '<input id="adroll_adv_eid" name="adroll_adv_eid" type="hidden" value="'.$val.'" />';

In the new version the value is sanitized using sanitize_text_field():

152
153
154
155

public function adroll_adv_eid_callback() {
	// Render input for the adroll advertisable eid field in the config page
	$val = sanitize_text_field($_GET['adv']);
	echo '<input id="adroll_adv_eid" name="adroll_adv_eid" type="hidden" value="'.$val.'" />';

Since the value is used as an HTML attribute that isn’t the appropriate function, though in our limited testing we didn’t see how this could in the bypassed in this particular situation. We couldn’t find a contact for the developer of the plugin to notify them of that.

Proof of Concept

The following proof of concept will cause any available cookies to be shown in an alert box. Major web browsers other than Firefox provide XSS filtering, so this proof of concept will not work in those web browsers.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin.php?page=wp_adroll&adv="><script>alert(document.cookie);</script>&pixel=test