Title: Reflected XSS  
Product: WordPress WooCommerce - Advanced Order Export plugin.  
Vendor Homepage:  
Vulnerable Version: 3.1.3  
Fixed Version: 3.1.4  
CVE Number: CVE-2020-11727  
Author: Jack Misiura from The Missing Link   
2020-04-08 Disclosed to Vendor  
2020-04-08 Vendor sends fix for testing  
2020-04-09 Fix confirmed  
2020-04-28 Vendor publishes fix  
2020-05-04 Publication  
1. Vulnerability Description  
The WordPress Advanced Order Export WooCommerce plugin does not sanitise the woe_post_type parameter which can be passed through in the URL, allowing for HTML or JavaScript injection.  
2. PoC  
On a WordPress installation with WooCommerce and a vulnerable Advanced Order Export plugin, issue the following request while logged in as Administrator:  
3. Solution  
The vendor provides an updated version (3.1.4) which should be installed immediately.  
4. Advisory URL