PPOM for WooCommerce < 24.0 - Subscriber+ Settings Update to Stored XSS

Vulnerability

The PPOM for WooCommerce plugin versions before 24.0 contain a vulnerability in the ppom_settings_panel_action AJAX action. This action lacks authorization and CSRF checks, allowing any authenticated user to call it and set arbitrary plugin settings. Additionally, the absence of input sanitization and output escaping enables stored cross-site scripting (XSS) [1].

Exploitation

An attacker needs to be authenticated (any role, e.g., subscriber) and can send a crafted AJAX request to the ppom_settings_panel_action endpoint. No CSRF token is required, so the attacker can also trick a higher-privileged user into making the request. The attacker can set arbitrary settings, including those containing malicious JavaScript. When the settings are rendered, the script executes [1].

Impact

Successful exploitation leads to stored XSS. An attacker can inject arbitrary JavaScript that executes in the context of any user viewing the affected settings pages. This can result in session hijacking, defacement, or further compromise of the WordPress site.

Mitigation

The vulnerability is fixed in version 24.0 of the plugin. Users should update to 24.0 or later. No workarounds are mentioned in the available reference [1]. The plugin is not listed on CISA's Known Exploited Vulnerabilities catalog.