WordPress preview email for wocomerce 1.6.8 cross site scripting

describe ： Reflect cross site scripts

Affected plugins ：WooCommerce Preview email for

plug-in unit Slug：woo-preview-emails

The affected version ：<= 1.6.8

CVE ID：CVE-2021-42363

WooCommerce Preview email is a simple plug-in , Designed to allow site owners to preview through WooCommerce E-mails sent to customers . Unfortunately , The plug-in has a flaw , It makes it possible for an attacker to maliciously Web Script injection “digthis-woocommerce-preview-emails” page .

As part of the plug-in functionality , There is a function to search for orders and generate email previews based on specific orders , So that the administrator or store manager can accurately view the content of the sent email seen by a specific user . Unfortunately , For searching search_orders Parameters are reflected on the page , And no input cleanup or output escape , This allows users to provide arbitrary scripts , When using a payload to access a page , These scripts will be executed in the browser in search_orders Parameter .

It means , If the attacker can successfully persuade the site administrator to click the link , They can make malice JavaScript Execute... In the administrator's browser . This script can be crafted to inject new administrative users , Even modify plug-ins or theme files to include backdoors , This allows an attacker to take full control of the site .