Today a new CVE entry was added, CVE-2019-1010124, for the plugin WooCommerce Product Feed. The entry seems a bit odd as one of the links doesn’t work and the other is for a YouTube from just over a year ago. It also indicates that version “2.2.18 and earlier is affected by” the vulnerability. In line with the age of the video that is a rather out of date version of the plugin. Looking at the YouTube video it looked like what might be at issue is a reflected cross-site scripting (XSS) vulnerability and upon testing that out we found the plugin is still vulnerable.

…

[Read more]