The woocommerce-product-addon plugin prior to 18.4 for WordPress has XSS via an import of a new meta data structure.
najeebmedia ppom for woocommerce
Vulmon