Breaking Down a Real Reflected XSS in WordPress Checkout Flow
Press enter or click to view image in full size
Sometimes you open a bug bounty report and immediately know why it matters.
No fancy chains.
No obscure crypto logic.
Just a simple input field doing something it should never do.
When I read HackerOne report #384112, this was exactly that kind of moment. A reflected XSS hiding inside a WordPress checkout page. The kind of place users trust with addresses, emails, and payment details. The kind of place attackers love.
Let’s break it down slowly and practically so you understand not just what happened, but how you can find bugs like this too.
The Report at a Glance
- Vulnerability type: Reflected XSS
- Platform: WordPress
- Affected endpoint: /store/checkout/
- Vulnerable parameter: billing[address]
- Impact: Session hijacking via JavaScript execution
- Report submitted by: arunthelegion
Nothing exotic. But that’s exactly why it’s powerful.