The popular WooCommerce WordPress plugin, used by 28 percent of all online stores, was just patched against a reflected cross-site scripting vulnerability (XSS).
The vulnerability was found by the company SiteLock.
The plugin vulnerability was disclosed to Automattic, the owner of, via its HackerOne security bounty program.
The vulnerability can be tested with:
curl -X POST -d "vendor_description=<script>alert("xss")</script>" "https://steelpress.org/index.php/product-vendor-registration-form/?confirm_email=1&email=1&firstname=1&lastname=1&location=1®ister=Register&username=1&vendor_description=1&vendor_name=