Advanced AJAX Product Filters < 1.5.4.7 - Unauthenticated Reflected Cross-Site Scripting (XSS)

Vulnerability

The Advanced AJAX Product Filters WordPress plugin versions before 1.5.4.7 are vulnerable to reflected cross-site scripting. The br_aapf_get_child AJAX action, which is accessible to both unauthenticated and authenticated users, fails to sanitize the term_id POST parameter before outputting it in the page. This allows an attacker to inject arbitrary JavaScript.

Exploitation

An attacker can send a crafted POST request to the WordPress site's AJAX endpoint with a malicious payload in the term_id parameter. No authentication is required, and the attacker does not need any specific privileges. The payload will be reflected in the response, and if the victim visits a crafted URL or submits a form, the script executes in their browser.

Impact

Successful exploitation leads to reflected cross-site scripting (XSS). The attacker can execute arbitrary JavaScript in the context of the victim's browser session, potentially stealing cookies, session tokens, or performing actions on behalf of the user. The impact is limited by the reflected nature, requiring user interaction such as clicking a link.

Mitigation

The vulnerability is fixed in version 1.5.4.7 of the Advanced AJAX Product Filters plugin. Users should update to this version or later [1]. As of the publication date, no workarounds have been provided. The plugin is not listed in CISA's KEV.