Threat Research

WooCommerce Tax Rates Cross-Site Scripting Vulnerability

By Zhouyuan Yang | December 16, 2016

WooCommerce is a free eCommerce plugin for WordPress. It has been downloaded over 1 million times and over 30% of all online stores are now powered by WooCommerce.

I recently discovered that WooCommerce is vulnerable to a cross-site scripting (XSS) attack. This XSS vulnerability is caused because the WooCommerce tax rates setting incorrectly processes user-supplied data. Remote attackers are tricking WooCommerce administrators into uploading a malicious CSV file that claims to provide required tax rate data for a particular country or region. This file injects malicious code into the application, triggering a XSS attack that could allow a remote attacker to gain full control of the web server.

This vulnerability affects WooCommerce versions before 2.6.9.


The tax rates setting in WooCommerce is at WooCommerce –> Settings –> Tax. There are two ways to set the tax rates: manually input the tax value, or import it from a CSV file, as shown in Figure 1.

Figure 1. WooCommerce Tax Rates Setting

Because different countries and states have different tax rates, most shop managers simply search for a tax rates file and import it, as shown in Figure 2.

Figure 2. Search results for WooCommerce CSV file

There are a number of web sites that provide either free or paid tax rates files. Some website examples are shown below, in Figures 3 and 4. A remote attacker offering an infected CSV file can trick a WooCommerce administrator into downloading a file with embedded malicious code, thereby triggering the XSS attack.

Figure 3. WooCommerce Tax Rates CSV file providers (A)

Figure 4. WooCommerce Tax Rates CSV file providers (B)


The vulnerability exists in the State Code and ZIP/Postcode part of the application’s code. WooCommerce doesn’t correctly sanitize the user-supplied data for State Code and ZIP/Postcode, which causes the XSS vulnerability.

For example, an attacker could modify the ZIP/Postcode in the CSV file and set it to “,” as shown in Figure 5.

Figure 5. WooCommerce Tax Rates CSV PoC file

After uploading this malicious CSV file, as shown in Figure 6, the XSS code will be injected, as seen in Figure 7.

Figure 6. Upload the CSV PoC file

Figure 7. XSS code is injected

Once the victim moves his/her mouse over the ZIP/Postcode element, the XSS code will be triggered, as shown in Figure 8.

Figure 8. XSS code is triggered


The WooCommerce team has been alerted to this vulnerability and they have issued an update. All users of WooCommerce should upgrade to the latest version immediately. Additionally, organizations that have deployed Fortinet IPS solutions are already protected from this vulnerability with the signature WooCommerce.Import.CSV.XSS.