Go ahead and disable WooCommerce and comment on a post; you can do the same thing because you’re logged in as admin. Admin users are able to post unfiltered content. If you repeat the test logged out, you’ll notice you’re not able to exploit anything.
See this trac ticket from WordPress https://core.trac.wordpress.org/ticket/33402
And this article on make.wordpress https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html
For future reference, please report security issues responsibly rather than publicly – use https://hackerone.com/automattic
Related Posts:
- WooCommerce showing star rating review instead of text review string
- Woocommerce: custom loop in product tabs breaks reviews tab
- Add starts rating in woocommerce product comment from backend
- Woocommerce API security concerns
- WooCommerce Review Author Hook on Review Submission
- Add button linked to single product page on order detail page
- Testimonials/Reviews for Products
- Which php files, in a WordPress setup, do not need direct web access?
- Getting the gallery images from products in woocommerce?
- add_filter to modify woocommerce_cart_item_name hyperlink
- Get product details by url key in WordPress woocommerce
- How to get rid of the hover zoom in WooCommerce single products
- Where is the “default attribute” values located in the phpMyAdmin in Woocommerce?
- pre_get_posts with WooCommerce Shortcode Query
- Reverse engineering of WooCommerce Storefront filters
- Use WooCommerce function in other WordPress plugin
- WooCommerce Cart – Group Products By Category
- WooCommerce – update order item price and recalculate totals
- Add product description (content) to WooCommerce customer processing order email
- woocommerce – get_image_size() deprecated [closed]
- Adding product SKU before cart item name in WooCommerce
- Woocommerce: How to remove page title from storefront theme homepage
- Remove checkout fields with Woocommerce depending on one of several shipping methods
- Replace one coupon to another after coupon added
- WooCommerce Multi-Currency shortcode not working
- Filter WooCommerce Orders query with user meta data
- How to change a column width on WooCommerce orders page (Admin)
- WooCommerce Shop Orders by Date
- Show list of woo commerce orders where particular zip code exists using pre_get_posts?
- display first sale product in shop
- adding a script with type=”module” to woocommerce admin area
- Redirect customer to login page (with other signup plugin) if user not logged in when proceeding to checkout
- Featured image for product listings, but another image as the product image?
- How to add custom data to cart for a specific product which I have shown on a page programmatically and with a separate anchor adding it to cart?
- How to select from two different tables to display orders list with custom column from other table
- Keep getting Notice: Trying to get property of non-object in …\wp-includes\post.php on line 4153 when generating woocommerce coupon
- How to subscribe free subscription on user registration in woocommerce subscription plugin?
- Woocommerce how to alter shipping tax before checkout
- Woocommerce cart page – Add “Free” to the shipping label when shipping is 0
- Change product in cart when billing country is changed
- WooCommerce add class name in the list [closed]
- How to display Woocommerce variations prices and descriptions
- How to override the title tag for woocommerce endpoints?
- WooCommerce – Global $product is returning value null
- How to rewrite product permalinks in Woocommerce to use category slugs
- How to re-arrange this hooked content?
- Pre filter woocommerce products to remove a certain category of products
- WooCommerce Stripe Plugin not showing up in settings [closed]
- How to add order status class to the body tag?
- Woocommerce – Change the template?
- Wooocommerce disable check_cart_item_stock if cart item has specific meta
- Force meta data on specific product type
- WooCommerce plaintext mail doesn’t display currency symbol
- Woocommerce, finding the ordinal number of a purchase for a certain product
- WooCommerce order refund get qty refunded
- WP/WooCommerce multisite with polylang, product duplication between websites [closed]
- WooCommerce add_to_cart
- WooCommerce Simple Product Options List
- Add custom body tag if product is out of stock
- Functions.php change for Woocommerce not working
- Woocommerce replace product page image with product tabs [closed]
- Woocommerce Register Error
- Need to check if user has completed a woo commerce payment
- How to get all customers cart from woocommerce API?
- WooCommerce login redirect based on cart
- unable to customize query to get filtered products by meta_key
- Woocommerce + Google Analytics (Conversion Rate Not Working)
- send order detail to swiftpos
- WordPress Woocommerce REST API JSON Error
- data-value for custom woocommerce field showing in code but not visable on page load
- Update user meta when customer update their first name
- call_user_func_array() expects parameter 1 to be a valid callback, class ‘WC_Rapyd’ does not have a method ‘install’
- How can we find a WooCommerce shop bottleneck? (only when cart is full)
- Conditional for product attribute page
- Setting Page Visibility for WooCommerce Default Page Doesn’t Work
- Deleted products from woocommerce are still in the database
- Remove cart functionality from WooCommerce so it doesn’t remember the products [closed]
- Apply CSS to certain product thumbnails only
- Overriding Plugin function in your child theme
- Files names changed (with strange characters) after being uploaded to cpanel
- woocommerce_add_to_cart custom function called several times
- Order Woocommerce Products by On Sale and Alphabetically
- Display product variations in shop page
- Customer Email Address
- Update a user meta key based on WooCommerce product purchase
- How to fix spacing in address tab in my account page
- Adding time of order to Admin email for new order
- Uninitialised Parameters using woocommerce_checkout_update_order_meta hook
- Woocommerce customer role doesn’t change if user is already a subscriber [closed]
- Hide add to cart when product variation has no price or is unavailable
- How to get the WooCommercer product variation image
- how add css class to product boxes li, for img, add cart button, decs, price… [closed]
- How can I hide the entire “Shipping Details” block on the admin side of Woocommerce? [closed]
- How do I put woocommerce cart page to my checkout page? [closed]
- Decrease stock quantity when a variation is sold using Woocommerce
- WooCommerce show decimals in totals [closed]
- CSS url rules not relative to css path in account endpoint areas. IE. subscriptions
- Create WordPress account on different domain when WooCommerce order completed
- Creating a woocommerce order when a user creates an account
- I want to update shipping charge $0 for all Woocommeerce Subscription auto-renewal orders