XSS Vulnerability – wp_shopping_cart.php

  • Resolved thebjhale

    (@thebjhale)


    8 years, 2 months ago

    Output sanitation is missing leading to an XSS vulnerability.

    wp_shopping_cart.php:488

    $replacement .= ‘<input type=”hidden” name=”cartLink” value=”‘ . cart_current_page_url() . ‘” />’;

    The function cart_current_page_url() does not provide sanitation. No sanitation present on the returned value of this function.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Thread Starter thebjhale

    (@thebjhale)

    Vulnerability repeated on line 553 of same file:

    $replacement .= ‘<input type=”hidden” name=”wspsc_product” value=”‘ . $name . ‘” /><input type=”hidden” name=”price” value=”‘ . $price . ‘” /><input type=”hidden” name=”shipping” value=”‘ . $shipping . ‘” /><input type=”hidden” name=”addcart” value=”1″ /><input type=”hidden” name=”cartLink” value=”‘ . cart_current_page_url() . ‘” />’;

    In our checking over this it looks like the value of $_SERVER[“REQUEST_URI”] would normally be encoded, so cross-site scripting (XSS) couldn’t occur. Were you able to actually get XSS to occur?

    In any case it wouldn’t hurt to add sanitization or escaping to the code.

    We have notified the developer of this discussion of the issue.

    Plugin Author mra13

    (@mra13)

    I am looking into this. Will provide an update very soon.

    Plugin Author mra13

    (@mra13)

    @thebjhale, I have added escaping for that parameter. Please upgrade to the new version.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘XSS Vulnerability – wp_shopping_cart.php’ is closed to new replies.