XSS Vulnerability in WooCommerce Product Vendors Plugin

A reflected cross site scripting vulnerability has been reported in a premium WordPress plugin for WooCommerce known as the ‘Product Vendors‘ plugin. This plugin is used by 28% of all online WooCommerce stores. Update: As a commenter pointed out, WooCommerce is used by 28% of all online stores, not the affected extension.

Product Vendors version 2.0.35 is affected by the vulnerability. If you are using this plugin, you need to upgrade immediately to at least version 2.0.36, which includes the fix. The current version of Product Vendors is 2.0.40.

In the Product Vendors changelog, they do not mention that a vulnerability was fixed. The changelog entry for 2.0.36 simply says:

2017-07-28 – version 2.0.36
* Fix – Adjusts how we handle the vendor registration form validation.  

This ‘form validation’ fix is the fix that removes the cross site scripting (XSS) vulnerability in a sign-up form for new vendors.

If you are using Wordfence it is unlikely that your site is exploitable because Wordfence includes advanced XSS protection for our free and paid customers.

The fix for the vulnerability was released on July 28th. Presumably WooCommerce did not mention in their changelog that this was a security fix to try and keep the vulnerability confidential to give their customers time to upgrade.

The fix has now been out for a month and this vulnerability is being reported to the public. It appeared on Kaspersky’s Threatpost blog 2 hours ago.

If you are running an older version of the Product Vendors plugin, it is important that you upgrade immediately to avoid having your site exploited. This vulnerability is now public and will be exploited by attackers.

If you would like to learn more about cross site scripting vulnerabilities and what a ‘reflected’ cross site scripting vulnerability is, you can visit our WordPress security learning center article on cross site scripting. We go into detail explaining the differences between stored and reflected XSS and we even include a guide for developers to help you validate your data and avoid writing cross site scripting vulnerabilities.

Please share this with the broader WordPress community to help create awareness of the importance of upgrading this plugin as soon as possible.

Did you enjoy this post? Share it!


  • Re-read the Kaspersky article - they correctly suggest that WooCommerce powers 28% of eCommerce stores. You need to rewrite your first paragraph to align with the facts.

    • Honest mistake. The Kaspersky article said "An extension of the WooCommerce WordPress plugin, used by 28 percent of all online stores, has been patched against a reflected cross-site scripting vulnerability.".

      Updated the post. Thanks for pointing this out.

      • Mark, you are correct. The prepositional phrase after 'extension' makes the percentage detail refer to the extension at hand (the subject of the sentence), not the WooCommerce plugin. The writer of the Kaspersky article should rewrite to clarify. The sentence should read more like this:

        "An extension of the WooCommerce WordPress plugin has been patched against a reflected cross-site scripting vulnerability. The WooCommerce plugin itself is used by 28 percent of all online stores."