CVE-2023-28665

An authenticated attacker crafts a URL pointing to `wp-admin/admin-ajax.php` with `action=techno_get_products` and a malicious `page` parameter containing an XSS payload such as `<svg onload=alert(1)>` [ref_id=1]. Because the response Content-Type is `text/html`, the injected script executes in the context of the WordPress admin panel when the victim (also an authenticated user) visits the crafted link [ref_id=1]. The attacker must have a valid WordPress session, but no special privileges beyond authentication are required [ref_id=1].

The vulnerability is in the Woo Bulk Price Update plugin's handling of the `techno_get_products` AJAX action. The `page` parameter is echoed into the response without sanitization, and the response Content-Type is `text/html` rather than `application/json`, enabling script execution in the browser [ref_id=1].

The advisory states the vulnerability is fixed in version 2.2.2 of the Woo Bulk Price Update plugin [ref_id=1]. No patch diff is provided in the bundle, but the remediation would involve properly escaping the `page` parameter before including it in the response and/or setting the response Content-Type to `application/json` to prevent HTML rendering [ref_id=1].

Visit the following URL as an authenticated WordPress user, replacing TARGET_HOST with the WordPress instance: `http://TARGET_HOST/wp-admin/admin-ajax.php?action=techno_get_products&page=<svg%20onload=alert(1)>` [ref_id=1].