WOOF - Products Filter for WooCommerce < 1.2.6.3 - Reflected Cross-Site Scripting
Description
The WOOF WordPress plugin before 1.2.6.3 does not sanitise and escape the woof_redraw_elements before outputing back in an admin page, leading to a Reflected Cross-Site Scripting
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- WordPress/WOOFdescription
Patches
Vulnerability mechanics
Root cause
"Missing sanitization and escaping of the `woof_redraw_elements` parameter before output in an admin page allows reflected cross-site scripting."
Attack vector
An attacker can craft a URL containing a malicious payload in the `woof_redraw_elements` parameter. When a logged-in administrator visits this crafted URL, the unsanitized input is reflected back in the admin page, causing the attacker's JavaScript to execute in the context of the admin's session [ref_id=1]. This is a reflected cross-site scripting (XSS) attack [CWE-79].
Affected code
The vulnerability is in the WOOF (WooCommerce Products Filter) plugin for WordPress, affecting versions before 1.2.6.3. The parameter `woof_redraw_elements` is output back in an admin page without sanitization or escaping [ref_id=1].
What the fix does
The advisory states the issue is fixed in version 1.2.6.3 [ref_id=1]. The fix involves properly sanitizing and escaping the `woof_redraw_elements` parameter before outputting it in the admin page, preventing injection of arbitrary HTML or JavaScript [ref_id=1].
Preconditions
- authThe attacker must trick a logged-in WordPress administrator into visiting a crafted URL
- configThe WOOF plugin must be installed and active with a version prior to 1.2.6.3
- networkThe attacker must be able to deliver a URL containing the malicious payload to the admin
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- plugins.trac.wordpress.org/changeset/2648751mitrex_refsource_CONFIRM
- wpscan.com/vulnerability/b7dd81c6-6af1-4976-b928-421ca69bfa90mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.