Advanced Order Export For WooCommerce < 3.1.8 - Reflected Cross-Site Scripting (XSS)
Description
Reflected XSS in the tab parameter of Advanced Order Export For WooCommerce plugin for WordPress allows authenticated attackers to inject arbitrary web scripts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in the tab parameter of Advanced Order Export For WooCommerce plugin for WordPress allows authenticated attackers to inject arbitrary web scripts.
Vulnerability
The Advanced Order Export For WooCommerce plugin for WordPress versions before 3.1.8 contains a reflected cross-site scripting (XSS) vulnerability in the tab parameter of the admin panel. The plugin fails to properly sanitize user input before outputting it, allowing an attacker to inject malicious JavaScript code. This vulnerability is classified as CWE-79 and has a CVSS score of 8.3 (high) [1].
Exploitation
An attacker must have authenticated access to the WordPress admin panel (e.g., as a shop manager or administrator). The attacker can craft a URL with a malicious payload in the tab parameter and trick an authenticated user into clicking it. No special privileges beyond authentication are required, and the attack does not require user interaction beyond the victim clicking the crafted link [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's admin session. This can lead to theft of session cookies, defacement of the admin interface, or further actions such as creating new admin users or modifying plugin settings. The impact is limited to the admin panel and does not affect site visitors directly [1].
Mitigation
The vulnerability is fixed in version 3.1.8 of the plugin. Users should update to this version or later immediately. No workarounds are available. The plugin vendor released the fix on an undisclosed date prior to the public disclosure on 2021-03-03 [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <3.1.8
- Range: <3.1.8
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing output sanitization on the `tab` parameter in the admin panel allows reflected XSS."
Attack vector
An attacker who is authenticated to the WordPress admin panel can inject malicious JavaScript via the `tab` parameter in the plugin's admin interface. The parameter is not properly sanitized before being reflected back to the user's browser, allowing the attacker to craft a URL containing a XSS payload. When the victim (an authenticated admin) visits the crafted URL, the injected script executes in the context of the WordPress admin panel, potentially leading to session hijacking or privilege escalation [CWE-79] [ref_id=1].
Affected code
The vulnerability exists in the Admin Panel of the Advanced Order Export For WooCommerce plugin (versions before 3.1.8). The `tab` parameter is the affected input vector, though the specific file and function are not named in the advisory [ref_id=1].
What the fix does
The advisory states the vulnerability is fixed in version 3.1.8 of the plugin, but does not include a patch diff or describe the specific sanitization changes [ref_id=1]. The remediation involves properly escaping or validating the `tab` parameter before outputting it in the admin page, preventing reflected XSS.
Preconditions
- authAttacker must be authenticated to the WordPress admin panel
- configThe vulnerable plugin must be installed and active
- inputVictim must click a crafted URL containing the XSS payload in the tab parameter
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- packetstormsecurity.com/files/164263/WordPress-Advanced-Order-Export-For-WooCommerce-3.1.7-Cross-Site-Scripting.htmlmitrex_refsource_MISC
- wpscan.com/vulnerability/09681a6c-57b8-4448-982a-fe8d28c87fc3mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.