当前位置:网站首页>WordPress preview email for wocomerce 1.6.8 cross site scripting

WordPress preview email for wocomerce 1.6.8 cross site scripting

2022-06-23 22:13:00 Khan security team

describe : Reflect cross site scripts

Affected plugins :WooCommerce Preview email for

plug-in unit Slug:woo-preview-emails

The affected version :<= 1.6.8

CVE ID:CVE-2021-42363

WooCommerce Preview email is a simple plug-in , Designed to allow site owners to preview through WooCommerce E-mails sent to customers . Unfortunately , The plug-in has a flaw , It makes it possible for an attacker to maliciously Web Script injection “digthis-woocommerce-preview-emails” page .

As part of the plug-in functionality , There is a function to search for orders and generate email previews based on specific orders , So that the administrator or store manager can accurately view the content of the sent email seen by a specific user . Unfortunately , For searching search_orders Parameters are reflected on the page , And no input cleanup or output escape , This allows users to provide arbitrary scripts , When using a payload to access a page , These scripts will be executed in the browser in search_orders Parameter .

It means , If the attacker can successfully persuade the site administrator to click the link , They can make malice JavaScript Execute... In the administrator's browser . This script can be crafted to inject new administrative users , Even modify plug-ins or theme files to include backdoors , This allows an attacker to take full control of the site .

原网站

版权声明
本文为[Khan security team]所创,转载请带上原文链接,感谢
https://yzsam.com/2021/12/202112171559580192.html

边栏推荐

猜你喜欢

随机推荐