Install and activate the Abu Bakar TWB Woocommerce Reviews plugin (v1.7.5 or lower).
3. Create or edit a review in the plugin, and insert the following payload into the review content: "><script>alert('XSS');</script>.
4. Save the review and have another user (for example, another admin or a customer) view the crafted review.
Exploiting this vulnerability, an attacker could replace the example payload with more advanced and malicious payloads to perform various attacks on the target site and its users, such as stealing session cookies, redirecting users to malicious websites, or executing unauthorized actions on behalf of the users.
- CVE-2023-47653 - From the Common Vulnerabilities and Exposures database: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-47653
- Abu Bakar TWB Woocommerce Reviews Plugin Homepage: https://wordpress.org/plugins/twb-woocommerce-reviews/
To mitigate this vulnerability, it is highly recommended that users upgrade to the latest version of the plugin as soon as possible. Alternatively, users can deactivate and remove the vulnerable plugin and look for a secure alternative until a patch is released.
The vendor has been notified of the vulnerability, and a patch is expected to be released soon.
The authenticated stored XSS vulnerability discovered in the Abu Bakar TWB Woocommerce Reviews plugin (v1.7.5 and below) poses a security risk to websites using the plugin and their users. By updating the plugin or implementing other security measures, website owners can help protect themselves and their users from potential malicious attacks.
Published on: 11/14/2023 19:15:31 UTC
Last modified on: 11/17/2023 15:56:48 UTC