CVE-2023-2256 Scanner

Product Addons & Fields for WooCommerce is a WordPress plugin that allows e-commerce store owners to add customizable product options to their WooCommerce-powered stores. It is widely used to provide customers with advanced personalization features, such as dropdown selections, text fields, checkboxes, and pricing adjustments. This plugin is developed to enhance user experience and streamline order management. It is particularly popular among businesses that sell customizable or made-to-order products. The plugin integrates seamlessly with WooCommerce and other WordPress extensions. Due to its flexibility, it is used by small to large-scale online retailers.

The vulnerability in Product Addons & Fields for WooCommerce allows for a Cross-Site Scripting (XSS) attack. This occurs because the plugin fails to properly sanitize and escape certain URL parameters in the admin panel. As a result, an attacker can inject malicious JavaScript code that executes within an administrator’s browser. The attack requires user interaction, such as clicking a malicious link, making it a reflected XSS vulnerability. If successfully exploited, this can lead to unauthorized actions being performed in the victim's browser. It can also be used to steal session cookies or manipulate website content.

The vulnerability is located in the plugin's admin panel, where certain URL parameters are not properly escaped. Attackers can craft a URL containing malicious script payloads, which execute when an administrator accesses the affected page. Specifically, the parameter in the `admin.php` file allows script execution due to improper input validation. When exploited, the attacker's JavaScript code can be used to gain unauthorized access or exfiltrate sensitive information. This issue arises from inadequate security measures in handling user-supplied input. The vulnerability affects all versions of the plugin prior to 32.0.7.

When exploited, this XSS vulnerability can have serious security implications. It may allow attackers to hijack administrator sessions, perform unauthorized actions, or deface the website. Additionally, malicious scripts could be used to redirect users to phishing sites or steal login credentials. Attackers could also modify website content to mislead customers and harm business credibility. In severe cases, it could lead to privilege escalation if an administrator unknowingly executes the attacker's script. This vulnerability highlights the importance of proper input sanitization and escaping in web applications.

REFERENCES

• https://wpscan.com/vulnerability/1187e041-3be2-4613-8d56-c2394fcc75fb
• https://nvd.nist.gov/vuln/detail/CVE-2023-2256