RVCFDI para Woocommerce <= 8.1.8 - Reflected Cross-Site Scripting

This research plan outlines the steps to identify and exploit a reflected Cross-Site Scripting (XSS) vulnerability in the RVCFDI para Woocommerce plugin (versions <= 8.1.8).

1. Vulnerability Summary

The RVCFDI para Woocommerce plugin fails to sufficiently sanitize and escape user-controlled input from HTTP parameters before echoing them back into the HTML response. This allows an attacker to craft a malicious URL that, when clicked by a victim (such as a site administrator), executes arbitrary JavaScript in the context of the victim's browser session.

2. Attack Vector Analysis

• Type: Reflected XSS
• Endpoint: Likely an admin settings page (wp-admin/admin.php) or a WooCommerce order-related page where the plugin reflects status messages or tab identifiers.
• Vulnerable Parameters (Suspected): tab, section, msg, error, order_id, or rvcfdi_action.
• Authentication Level: Unauthenticated to craft the link; requires a logged-in user (typically an administrator) to click the link for maximum impact.
• Preconditions: The plugin must be active.

3. Code Flow (Search Strategy)

Since source files are not provided, the following search strategy must be used to locate the sink:

1. Identify Sinks: Search for raw echoes of superglobals in the plugin directory.

   grep -rnE "echo.*\\$_(GET|REQUEST|POST)" wp-content/plugins/rvcfdi-para-woocommerce/
   

2. Target Logic: Focus on files handling admin settings or order displays:

   • rvcfdi-para-woocommerce.php (Main entry)
   • includes/admin/ or admin/ directory files.
   • Hooks like admin_notices or woocommerce_admin_order_data_after_order_details.

3. Trace the Sink:

   • Look for code similar to: echo $_GET['tab']; or echo $_GET['msg'];
   • Verify if esc_html(), esc_attr(), or wp_kses() are missing.

4. Nonce Acquisition Strategy

Reflected XSS vulnerabilities often occur during the initial page load or within error/status messages that do not require a nonce.

• If the sink is in an Admin Page: Nonces are typically not checked for simple GET requests to view a page (e.g., admin.php?page=rvcfdi-settings&tab=...).
• If a nonce is required:
  1. The agent should check if the nonce is exposed in the page source via wp_localize_script.
  2. Check for JS variables like rvcfdi_vars or rvcfdi_admin_data.
  3. Use browser_eval to extract it: window.rvcfdi_vars?.nonce.

5. Exploitation Strategy

Once the vulnerable parameter is identified (e.g., tab), follow these steps:

1. Identify the Page: Determine the page slug for the plugin (e.g., rvcfdi-settings).
2. Construct Payload:
   • Basic: <script>alert(document.domain)</script>
   • Attribute Breakout (if reflected in a value or id): "><script>alert(1)</script>
3. Execute via HTTP Request:
   Use http_request as a logged-in administrator to simulate the victim clicking the link.
   • URL: http://localhost:8080/wp-admin/admin.php?page=[SLUG]&tab=<script>alert(1)</script>
4. Confirm Execution:
   Use browser_navigate to the malicious URL and check for an alert or the presence of the unsanitized script in the DOM.

6. Test Data Setup

1. Plugin Activation: Ensure the plugin is active.

   wp plugin activate rvcfdi-para-woocommerce
   

2. WooCommerce Context: If the vulnerability is in the order view, create a dummy order.

   wp post create --post_type=shop_order --post_status=wc-processing --post_title="XSS Test Order"
   

3. Administrator Session: Ensure the agent has the cookies for an administrator user to access /wp-admin/ pages.

7. Expected Results

• The HTTP response should contain the literal string provided in the parameter (e.g., <script>alert(1)</script>) without HTML entity encoding.
• In a browser context, the JavaScript should execute, demonstrating the ability to perform actions on behalf of the user.

8. Verification Steps

1. Source Check:

   # Check if the payload is reflected unencoded
   curl -s -b admin_cookies.txt "http://localhost:8080/wp-admin/admin.php?page=[SLUG]&tab=UNSANI_CANARY" | grep "UNSANI_CANARY"
   

2. DOM Check:
   Use browser_eval to check if a specific element or global variable injected by the payload exists.

9. Alternative Approaches

• Action-based Reflection: If $_GET['tab'] is not vulnerable, check $_GET['rvcfdi_action'] or $_GET['error_code'].
• Redirect Reflection: Some plugins reflect parameters in "Success" or "Error" banners after a form submission. Test by submitting settings with a malicious msg parameter if the plugin uses a pattern like admin.php?page=...&msg=Settings+Saved.
• WooCommerce Checkout: Check if the XSS triggers on the order-received (thank you) page if custom CFDI data is passed via URL.