CVE-2021-24323 – Woocommerce < 5.2.0 - Authenticated Stored Cross-Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2021-24323
When taxes are enabled, the "Additional tax classes" field was not properly sanitised or escaped before being output back in the admin dashboard, allowing high privilege users such as admin to use XSS payloads even when the unfiltered_html is disabled Cuando la opción taxes está habilitada, el campo "Additional tax classes" no es saneado apropiadamente antes de ser devuelto en el panel de administración, permitiendo a usuarios con altos privilegios, tales como el administrador, usar cargas útiles XSS incluso cuando el parámetro unfiltered_html está deshabilitado The WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Additional tax classes' field when the tax functionality of WooCommerce is enabled in versions up to, and including, 5.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with administrative privileges to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • https://wpscan.com/vulnerability/6d262555-7ae4-4e36-add6-4baa34dc3010 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •