Avalon23 Products Filter for WooCommerce <= 1.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Description
The Avalon23 Products Filter for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'avalon23_qr' shortcode in all versions up to, and including, 1.1.6. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes (notably 'title' and 'fixed_link') which are concatenated directly into single-quoted HTML attributes by the AVALON23_HELPER::draw_html_item() helper without esc_attr() or any other encoding. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <=1.1.6
Patches
Vulnerability mechanics
Root cause
"Missing input sanitization and output escaping on the 'title' and 'fixed_link' shortcode attributes allows stored cross-site scripting."
Attack vector
An authenticated attacker with at least Contributor-level access can insert the `[avalon23_qr title="..." fixed_link="..."]` shortcode into a WordPress post or page. By supplying a malicious payload in the `title` or `fixed_link` attribute (e.g. a single quote followed by an event handler), the attacker breaks out of the single-quoted HTML attribute context and injects arbitrary JavaScript. When any user views the affected page, the injected script executes in their browser, enabling session hijacking, defacement, or further attacks. [CWE-79]
Affected code
The vulnerability resides in the `avalon23_qr()` method of the `Avalon23_QR_Generator` class in `/ext/qr_generator/index.php`. The `'title'` and `'fixed_link'` shortcode attributes are passed directly into the `$data` array without sanitization or escaping, then handed to `AVALON23_HELPER::draw_html_item()` which concatenates them into single-quoted HTML attributes. No call to `esc_attr()` or any other encoding is applied before rendering.
What the fix does
The patch is not shown in the bundle; however, the advisory states that the fix must apply `esc_attr()` (or equivalent context-aware escaping) to the `'title'` and `'fixed_link'` attributes before they are placed into the HTML attribute string by `AVALON23_HELPER::draw_html_item()`. Without such escaping, any single-quote or special character in the user-supplied value can break the attribute boundary and inject arbitrary HTML/JavaScript.
Preconditions
- authThe attacker must have a WordPress account with at least Contributor-level permissions to insert shortcodes into posts or pages.
- configThe target site must have the Avalon23 Products Filter for WooCommerce plugin installed and active, with the `avalon23_qr` shortcode available.
- inputThe attacker must craft a shortcode attribute (title or fixed_link) containing a single quote and an event handler to break out of the HTML attribute context.
Generated on Jun 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- plugins.trac.wordpress.org/browser/avalon23-products-filter-for-woocommerce/trunk/classes/helper.phpmitre
- plugins.trac.wordpress.org/browser/avalon23-products-filter-for-woocommerce/trunk/ext/qr_generator/index.phpmitre
- plugins.trac.wordpress.org/browser/avalon23-products-filter-for-woocommerce/trunk/ext/qr_generator/index.phpmitre
- www.wordfence.com/threat-intel/vulnerabilities/id/da9089a2-420f-4744-96d1-46c050a95328mitre
News mentions
0No linked articles in our index yet.