0xB9's Vulnerability Follow-Ups

Vulnerabilities & other security nonsense!

Cross-Site Scripting Fixed in Advanced Order Export For WooCommerce <= 3.1.7

Apr 28 2021
VulnerabilitiesWordPress

A Cross-Site Scripting vulnerability was found in the WordPress plugin Advanced Order Export For WooCommerce version 3.1.7 and lower. The vulnerability in Advanced Order For WooCommerce plugin was originally found on February 15th, and fixed by the 22nd. This was a reflected XSS, located in the plugin options via the dashboard.

About The Plugin

Advanced Order Export For WooCommerce is a WordPress plugin with over 100,000+ active installations. The plugin helps WooCommerce users easily export order data from eCommerce stores. This can be extremely useful for eCommerce stores to analyze order data and other sorts of information about their store to better serve their customers. I would like to mention the developer was super friendly, acknowledged, and took care of the issue right away. That’s always a great thing!

Reflected Cross-Site Scripting

While looking through the plugin I noticed the active tab via plugin options was reflected on the page inside of a <script> tag.
wp-admin/admin.php?page=wc-order-export&tab=export

<script>
  var ajaxurl = "http://localhost/wp-admin/admin-ajax.php"
  var woe_nonce = "8c61d61d28"
  var woe_active_tab = "export"
</script>

After noticing the active tab parameter from the URL was reflected on the page, I changed the tab parameter from export to hi. That way I can see if my custom input would also be reflected on the page. Sure enough, it was!

wp-admin/admin.php?page=wc-order-export&tab=hi

<script>
  var ajaxurl = "http://localhost/wp-admin/admin-ajax.php"
  var woe_nonce = "8c61d61d28"
  var woe_active_tab = "hi"
</script>

As we can see, the hi input in the tab parameter is reflected back to the page. Seeing my input is being reflected through the tab parameter I knew it would be vulnerable to reflected cross-site scripting. I figured the easiest way to pop an alert would be to simply close out the current script tag and starting a new one. Check out the references at the bottom of the post for further details.

Timeline
  • Feb. 15th 2021: Vulnerability discovered.
  • Feb. 15th 2021: Contacted developer about vulnerability.
  • Feb. 16th 2021: Developer confirmed vulnerability.
  • Feb. 16th 2021: Developer sent a hotfix for me to confirm the fix.
  • Feb. 16th 2021: I confirmed the fix & dev set a release for the coming week.
  • Feb. 22th 2021: Version 3.1.8 was released fixing vulnerability.
References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24169 https://wpscan.com/vulnerability/09681a6c-57b8-4448-982a-fe8d28c87fc3

If you enjoyed this post, check out my last post regarding two plugins vulnerable to Cross-Site Request Forgery to Database Downloads.