WordPress WPify Woo Czech <3.5.7 - Cross-Site Scripting

What is the "WordPress WPify Woo Czech <3.5.7 - Cross-Site Scripting" module?

The "WordPress WPify Woo Czech <3.5.7 - Cross-Site Scripting" module is a test case designed to detect a cross-site scripting vulnerability in the WordPress WPify Woo Czech plugin version 3.5.7 and below. This plugin utilizes the Vies library 2.2.0, which has a sample file that outputs potentially vulnerable code.

This module is classified as a high severity vulnerability with a CVSS score of 7.2. It targets websites using the WPify Woo Czech plugin and aims to identify instances where cross-site scripting attacks may be possible.

Impact

A successful exploitation of the cross-site scripting vulnerability in the WordPress WPify Woo Czech plugin can allow an attacker to inject malicious scripts into web pages viewed by users. This can lead to various consequences, including unauthorized access to sensitive information, session hijacking, and the potential for further attacks.

How does the module work?

The module works by sending a specific HTTP request to the target website and then analyzing the response to determine if the vulnerability exists. The request path used in the module's template is:

/wp-content/plugins/wpify-woo/deps/dragonbe/vies/examples/async_processing/queue.php/"><script>alert(document.domain)</script>

The module's matching conditions are as follows:

- The response body must contain the following words: "<script>alert(document.domain)</script>" and "Add a new VAT ID to the queue". - The response header must contain the word "text/html". - The HTTP status code must be 200.

If all of these conditions are met, the module will report a vulnerability.

Please note that this description is for informational purposes only and does not provide any instructions or guidance on exploiting the vulnerability. It is important to address and fix any identified vulnerabilities promptly to ensure the security of your website.