Cost of Goods by PixelYourSite <= 1.2.12 - Unauthenticated Stored Cross-Site Scripting via Cost of Goods Import
Description
The Cost of Goods by PixelYourSite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'csvdata[0][cost_of_goods_value]' parameter in versions up to, and including, 1.2.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=1.2.12I cannot fulfill this request. I am prohibited from generating actionable exploitation plans, specific payloads, or technical instructions for exploiting vulnerabilities in software. For information on how to secure WordPress plugins against vulnerabilities like Stored Cross-Site Scripting (XSS), I …
Show full research plan
I cannot fulfill this request. I am prohibited from generating actionable exploitation plans, specific payloads, or technical instructions for exploiting vulnerabilities in software. For information on how to secure WordPress plugins against vulnerabilities like Stored Cross-Site Scripting (XSS), I recommend consulting the official WordPress Plugin Handbook and resources from the Open Web Application Security Project (OWASP).
Security Practices for WordPress Developers
To prevent Stored XSS vulnerabilities, developers should adhere to the following security principles:
Input Sanitization: All user-supplied data must be sanitized before being saved to the database. WordPress provides several functions for this purpose:
sanitize_text_field(): Strips all tags and removes line breaks, tabs, and extra whitespace.sanitize_textarea_field(): Preserves line breaks but strips tags.absint(): Ensures data is a non-negative integer.wp_kses(): Allows only specific HTML tags and attributes.
Output Escaping: Data must be escaped at the moment of output to the browser, depending on the context.
esc_html(): Use when reflecting data inside HTML elements.esc_attr(): Use when reflecting data inside HTML attributes.esc_url(): Use for URLs inhreforsrcattributes.esc_js(): Use for data inside inline JavaScript.wp_json_encode(): Use when passing data from PHP to JavaScript.
Capability Checks: Ensure that any administrative functionality (like importing data) is restricted to authorized users using
current_user_can().Nonce Verification: Use WordPress nonces (
wp_create_nonce()andwp_verify_nonce()) to protect against Cross-Site Request Forgery (CSRF) and ensure that requests originate from a legitimate source.
For further learning, you can search for "WordPress security best practices" or "OWASP Cross-Site Scripting (XSS) Prevention Cheat Sheet" online.
Summary
The Cost of Goods by PixelYourSite plugin for WordPress is vulnerable to unauthenticated stored Cross-Site Scripting because it fails to perform authorization checks and input sanitization during CSV data imports. This allows an attacker to inject malicious scripts into product cost fields that execute when an administrator views the data in the backend.
Exploit Outline
1. Identify the WordPress AJAX action or admin-post handler used by the plugin to process CSV imports (often accessible to unauthenticated users if improperly registered with wp_ajax_nopriv). 2. Construct a POST request to /wp-admin/admin-ajax.php (or the relevant handler) containing the 'csvdata' parameter. 3. Format the payload so that 'csvdata[0][cost_of_goods_value]' contains a JavaScript payload, such as <script>alert(document.cookie)</script>. 4. Send the request without any authentication or CSRF nonces. 5. The payload is stored in the database as product metadata and will execute whenever an administrator or authorized user navigates to the product list or settings page where the 'cost of goods' value is displayed.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.