Executive Summary

The OpenPOS Lite – Point of Sale for WooCommerce plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability. This occurs via the 'width' parameter of the order_qrcode shortcode in all versions up to and including 3.0. The vulnerability exists because the plugin does not properly sanitize input or escape output for this parameter.

As a result, authenticated attackers with Contributor-level access or higher can inject arbitrary web scripts into pages. These scripts execute whenever any user accesses the injected page, potentially compromising user interactions.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers with Contributor-level access or above to inject malicious scripts into the website. These scripts can execute in the context of other users visiting the affected pages.

• Compromise of user accounts or sessions through theft of cookies or credentials.
• Execution of unauthorized actions on behalf of users without their consent.
• Potential defacement or manipulation of website content.
• Exposure of sensitive information accessible to the victim users.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

The vulnerability involves Stored Cross-Site Scripting (XSS) via the 'width' parameter of the order_qrcode shortcode in the OpenPOS Lite plugin for WooCommerce. Detection would involve identifying if this shortcode is used with unsanitized input in your WordPress installation.

Since the vulnerability requires authenticated users with Contributor-level access or higher to inject malicious scripts, detection can include reviewing posts or pages that use the order_qrcode shortcode and checking for suspicious or unexpected script tags or HTML in the 'width' parameter.

Suggested commands or methods to detect this vulnerability include:

• Search the WordPress database for instances of the order_qrcode shortcode with suspicious 'width' parameter values, for example using SQL queries on the wp_posts table.
• Use WP-CLI to search posts/pages for the shortcode: wp search-replace --dry-run '\[order_qrcode.*width=.*\]' ''
• Monitor HTTP traffic or logs for unusual script execution or injection attempts related to pages containing the order_qrcode shortcode.
• Audit user roles and permissions to identify if any Contributor-level or higher users have recently edited content containing the shortcode.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Update the OpenPOS Lite plugin to the latest version beyond 3.0 where the vulnerability has been fixed.
• Restrict Contributor-level and higher user permissions to trusted users only, minimizing the risk of malicious script injection.
• Temporarily disable or remove the order_qrcode shortcode usage in posts or pages until the plugin is updated.
• Implement Web Application Firewall (WAF) rules to detect and block attempts to inject scripts via the 'width' parameter.
• Review and sanitize all inputs related to the order_qrcode shortcode if custom code or overrides are used.

Useful 0 Not Useful 0