Reporting Stored XSS Vulnerability In Marketing WooCommerce Plugin

Introduction to WordPress Plugin Security

WordPress’s flexibility owes much to its plugins, but that same strength can become a security weak point if plugins aren’t kept secure and up to date. In fact, according to a recent study, it was revealed that 96.77% of WordPress vulnerabilities stem from plugins. 

An unpatched plugin can expose your site to attacks ranging from data theft to complete takeover. One of the most common issues is Cross-Site Scripting (XSS), especially the stored variety, which is particularly dangerous. Studies show that XSS accounts for about 53.3% of all plugin vulnerabilities​.

The fundamental concern about stored XSS vulnerabilities is that they allow malicious code to be injected and stored on your site, ready to execute for any unsuspecting user. If such vulnerabilities remain unpatched, attackers can exploit them to hijack user sessions, deface your site, or steal sensitive data. 

As a business owner, a simple effort of keeping plugins up to date and promptly applying security patches can be helpful. Failing to do so can leave back doors open on your website.

What is the MarketKing Plugin?

MarketKing is a popular WooCommerce extension that transforms a single-vendor store into a multi-vendor marketplace. In other words, it allows multiple sellers, basically the vendors, to have their own mini-shops within a WooCommerce site, similar to how marketplaces like Etsy or Amazon operate. 

The plugin provides a comprehensive suite of features over 137 modules and integrations such as branded vendor invoice generation, flexible commission structures, membership subscriptions for vendors, support selling the same products, vendor badges and ratings to manage such a marketplace, aiming to be an “all-in-one” solution for a multi-vendor e-commerce site.

What is the Stored XSS and How Does It Work?

Before diving into the specifics of the MarketKing issue, it’s helpful to understand what a Cross-Site Scripting (XSS) vulnerability is, and in particular, what makes Stored XSS especially dangerous

As mentioned above, Cross-Site Scripting (XSS) is a web vulnerability that allows an attacker to inject malicious scripts into pages viewed by others.

There are a few varieties of XSS attacks, with the two most common being

• Stored XSS
• Reflected XSS
• Self XSS 

In a stored XSS (also known as persistent XSS) attack, the malicious script is permanently stored on the server such as in a database or plugin setting and delivered to users whenever they access the affected page​. 

On the other hand, reflected XSS is a one-time injection, where the malicious code comes from a request, such as a URL and is immediately “reflected” in the response without being stored long-term​

Furthermore, self-XSS is a variant where the user unintentionally injects code into a form or field that gets executed when they later view the content.

Why we say that stored XSS is more concerning is because, it can spread its impact much more widely since the stored XSS payloads reside in the website’s data, every visitor or administrator who loads the infected page will unknowingly execute the malicious script. This makes stored XSS especially dangerous: an attacker can plant the script once, and it will run for all users who view that content, until it’s removed​.

Understanding the Vulnerability of MarketKing Stored XSS

The recently discovered vulnerability in the MarketKing multivendor marketplace plugin is the concern of a stored XSS issue caused by insufficient input sanitisation and output escaping​. 

So, some of the plugin’s settings fields did not properly cleanse user-provided data. As a result, an attacker with the appropriate access could input a bit of JavaScript into these fields, save it, and have the plugin later output that script as part of a page, causing it to execute in other users’ browsers. It’s important to mention that this vulnerability can be exploited only by users with Shop Manager or Admin user roles. We advise that for this reason, the vulnerability is not critical, as most users cannot exploit it, but we still advise to be cautious and ensure that your site uses the latest release of the plugin.

What Versions are Affected? 

Plugin versions up to 1.9.80 (inclusive) are vulnerable​. We contacted plugin developers with our security report who were helpful and engaged in providing a relevant patch. We can confirm that the issue was addressed in an update, so versions 1.9.81 and above (including the 2.0.0 major release) contain the fix. After the patch was released and tested, we sent our report to WordFence and we received a CVE for the findings – Check our findings here. 

Where is the Vulnerability?

The issue lies in plugin settings fields that fail to sanitise inputs. Insecure data is saved in the database in the wp_options table in the ‘option_value’ column for the following ‘option_name’:

• marketking_logo_favicon_setting – script is then outputted to all users who visit /vendor-dashboard/ 
• marketking_enable_custom_payouts_title_setting – script is then outputted to shop managers and site admins who view /wp-admin/admin.php?page=marketking (plugin’s settings page).

What Causes this Vulnerability?

The root cause of the issue is the lack of proper sanitisation of inputs during save and output escaping. In line with best WordPress development practices, all admin inputs should be sanitised or validated. By escaping the output and sanitising the input, any harmful code, such as <script> tags, is neutralised. This ensures that the code is displayed as text (e.g., “<script>…”) rather than being executed, which is a key technique for preventing XSS attacks.

What are the Recommended Actions and Fixes?

If you use the MarketKing plugin, you should take action immediately to secure your site. Here’s what you can do:

1. Update the Plugin to a Safe Version

The developers have released a patch, in version 1.9.81 and later (including 2.0.0), that fixes this XSS issue. Updating to the latest version (2.0.0 or above) should be therefore a priority. This will automatically apply the proper escaping.

2. Audit and Clean Your Settings

Simply updating will fix the code, but if an attacker already injected a script into your MarketKing settings, that malicious script may still reside in your database, but for now it will be displayed as harmless text after the patch. Hence, it’s wise to be cautious about it. 

How do you clean your settings?

Go to the MarketKing settings page and check the fields for any suspicious values. In particular, look at the Custom Payouts Title setting and the Logo/Favicon fields. If you see any strange script or unfamiliar JavaScript code in there, remove it immediately. Replace it with the intended normal text or image URL. Save the settings after cleaning.

3. Keep Everything Updated

Core, themes, and plugins – update them all regularly. As we saw, outdated plugins are a top cause of WordPress hacks. A report by Patchstack found that 42.9% of WordPress sites had bad or critical CV (Common Vulnerability) Scores. 

4. Use Security Plugins and Services

Augment your site’s defence with a security plugin like Wordfence. These tools can firewall malicious requests, scan for malware or injected code, and alert you to suspicious behaviour. While they’re not foolproof, they add a valuable layer of protection and monitoring.

Finally, learn from this incident as a case study. It highlights why maintaining updates is so important, though the patched version was available, but until applied, your site remained at risk. It’s a reminder that security is an ongoing process, not a one-time setup.

Safeguard Your Website with Loop Digital

At Loop Digital, we understand that managing a business and a website’s security simultaneously can be challenging. This is when proactive security audits and ongoing maintenance become vital to stay ahead of threats. Our team keeps track of your site’s health, ensuring that plugins and all other components are up-to-date and securely configured. We can implement the best practices mentioned above and tailor them to your specific site.

With our expertise in WordPress development, we can even assist you in web design, website improvement solutions and any custom solutions needed to protect your unique functionality.

Remember, your website is the online representation of your business, its security directly impacts your reputation and revenue. Don’t wait for a malicious incident to take action. Book a consultation with Loop Digital today, and let us help fortify your website against attacks. Whether you need one-time remediation or ongoing maintenance and support, we’re here to help. Together, we can ensure your WordPress site remains fast, functional, and above all, secure, so you can focus on running your business with confidence.