WordPress eCommerce Plugin Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the WordPress eCommerce Plugin, specifically in versions through 2.9.0. The issue arises because the plugin fails to properly sanitize and escape a parameter before displaying it on the page. This vulnerability could be exploited against users with high privileges, such as administrators.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, which could be used to target high-privilege users like admins.

Reproduction

To reproduce this vulnerability, a logged-in admin user must be made to open a specific URL that includes a crafted parameter. This parameter should contain a script payload, such as a JavaScript alert. The lack of proper sanitization and escaping will result in the injected script being executed in the user's browser.