DukaPress WordPress Plugin Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the DukaPress WordPress plugin, affecting versions through 3.2.4. The issue arises because the plugin fails to properly sanitize and escape a parameter before displaying it on the page. This vulnerability could be exploited against users with high privileges, such as administrators.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, send a POST request to 'wp-admin/admin-ajax.php' with the 'action' parameter set to 'dpsc_format_price'. Include a 'price' parameter that contains a script payload, such as a JavaScript alert. The injected script will be executed when the response is rendered in the browser.