Cross-site Scripting (XSS) - Reflected in blockonomics/woocommerce-plugin


Reported on

May 1st 2021

✍️ Description

Reflected javascript injection vulnerabilities exist when web applications take parameters from the URL and display them on a page. Reflection vulnerabilities occur when a website outputs a variable from the webpage URL directly to the page, such as in a PHP application that accepts parameters and displays them on screen. If javascript code is passed into the PHP script and output to the page, the browser may be tricked into treating it like other javascript and executing it.

🕵️‍♂️ Proof of Concept

Vulnerable code snippet available at

User controlled GET parameter filter_by is reflected directly inside the input tag without sanitization.

 function filter_orders() {
        global $typenow;
        if ( 'shop_order' === $typenow ) {
            <input size='26' value="<?php if(isset( $_GET['filter_by'] )) echo($_GET['filter_by']); ?>" type='name' placeholder='Filter by crypto address/txid' name='filter_by'>

💥 Impact

Reflected XSS can be used to bypass Same Origin Policy which can be leveraged to perform any action which a user can do manually using the attacker controlled javascript.

Blockonomics validated this vulnerability 2 years ago
Shiva Gupta has been awarded the disclosure bounty
The fix bounty is now up for grabs
Blockonomics marked this as fixed with commit d2059d 2 years ago
Shiva Gupta has been awarded the fix bounty
This vulnerability will not receive a CVE
Shiva Gupta
2 years ago



Does it qualify for a CVE??? As this bug is reported in a WordPress plugin, I believe it should qualify for the CVE number. Please let me know

to join this conversation