By default all user input is escaped using
htmlspecialchars so it’s impossible to get XSS.
But we can pass
__e value which is
base64 encoded and unfortunatelly those datas are not cleaned.
So we know method for omit XSS filter.
address_1="><script>alert(2);</script>& can be encoded as:
Also it seems that
subsql_filter inside admin panel are not properly escaped, for example:
Proof of Concept:
Example reflected XSS:
For stored XSS create new order and set
__e using for example Burp.
For SQL Injection:
- 11-06-2016: Discovered
- 11-06-2016: Vendor notified
- 13-08-2016: Version 1.2.8 released, issue resolved