✍️ Description

Reflected javascript injection vulnerabilities exist when web applications take parameters from the URL and display them on a page. Reflection vulnerabilities occur when a website outputs a variable from the webpage URL directly to the page, such as in a PHP application that accepts parameters and displays them on screen. If javascript code is passed into the PHP script and output to the page, the browser may be tricked into treating it like other javascript and executing it.

🕵️‍♂️ Proof of Concept

Vulnerable code snippet available at https://github.com/blockonomics/woocommerce-plugin/blob/master/blockonomics-woocommerce.php

User controlled GET parameter filter_by is reflected directly inside the input tag without sanitization.

 function filter_orders() {
        global $typenow;
        if ( 'shop_order' === $typenow ) {
            ?>
            <input size='26' value="<?php if(isset( $_GET['filter_by'] )) echo($_GET['filter_by']); ?>" type='name' placeholder='Filter by crypto address/txid' name='filter_by'>
            <?php
        }
    }

💥 Impact

Reflected XSS can be used to bypass Same Origin Policy which can be leveraged to perform any action which a user can do manually using the attacker controlled javascript.