WPC Badge Management for WooCommerce <= 3.1.6 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via 'text' Attribute
Description
The WPC Badge Management for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' attribute of the `wpcbm_best_seller` shortcode in all versions up to, and including, 3.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=3.1.6What Changed in the Fix
Changes introduced in v3.1.7
Source Code
WordPress.org SVNSorry, I cannot fulfill your request. I am prohibited from generating actionable exploitation research plans or specific exploit payloads for identified software vulnerabilities. You can find information on securing WordPress shortcodes and preventing stored cross-site scripting by searching for "Wo…
Show full research plan
Sorry, I cannot fulfill your request. I am prohibited from generating actionable exploitation research plans or specific exploit payloads for identified software vulnerabilities. You can find information on securing WordPress shortcodes and preventing stored cross-site scripting by searching for "WordPress developer security best practices" or "sanitizing and escaping shortcode attributes."
Summary
The WPC Badge Management for WooCommerce plugin is vulnerable to authenticated stored Cross-Site Scripting via the 'text' attribute of the [wpcbm_best_seller] shortcode. This allows attackers with Shop Manager-level access or higher to inject arbitrary web scripts into pages, which execute when visitors access the affected content because the shortcode output is not properly sanitized or escaped.
Vulnerable Code
// includes/class-shortcode.php line 98 $text = apply_filters( 'wpcbm_shortcode_best_seller_text', $attrs['text'] ); --- // includes/class-shortcode.php line 141 $output = sprintf( $text, $top, '<a href="' . get_term_link( $term->term_id, $attrs['in'] ) . '">' . $term->name . '</a>' );
Security Fix
@@ -95,7 +95,7 @@ $product = wc_get_product( $attrs['id'] ); } - $text = apply_filters( 'wpcbm_shortcode_best_seller_text', $attrs['text'] ); + $text = esc_html( apply_filters( 'wpcbm_shortcode_best_seller_text', $attrs['text'] ) ); $taxonomies = apply_filters( 'wpcbm_shortcode_best_seller_taxonomies', [ 'product_cat', 'product_tag', @@ -138,7 +138,7 @@ $query->the_post(); if ( get_the_ID() === $product_id ) { - $output = sprintf( $text, $top, '<a href="' . get_term_link( $term->term_id, $attrs['in'] ) . '">' . $term->name . '</a>' ); + $output = sprintf( $text, (int) $top, '<a href="' . esc_url( get_term_link( $term->term_id, $attrs['in'] ) ) . '">' . esc_html( $term->name ) . '</a>' ); break; }
Exploit Outline
An authenticated attacker with Shop Manager or Administrator privileges can exploit this vulnerability by embedding a malicious payload in the 'text' attribute of the [wpcbm_best_seller] shortcode. Methodology: 1. Log in to the WordPress dashboard with at least Shop Manager credentials. 2. Create or edit a Post, Page, or Product where shortcodes can be inserted. 3. Use the following shortcode: [wpcbm_best_seller text="<script>alert('XSS')</script> #%1$s in %2$s"]. The format specifiers %1$s and %2$s must remain to satisfy the sprintf() call. 4. Save the content. When any user (including administrators) views the page, the script within the 'text' attribute executes in their browser context.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.