Reflected Cross-Site Scripting Vulnerability in WordPress eCommerce Plugin
CVE-2024-14015

Currently unrated

Key Information:

Vendor: WordPress
Status: WordPress Ecommerce Plugin
Vendor: CVE Published:; 24 November 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2024-14015?

The WordPress eCommerce Plugin prior to version 2.9.0 is prone to a reflected cross-site scripting vulnerability due to improper sanitization and escaping of a user-supplied parameter. This flaw enables attackers to inject malicious scripts into web pages viewed by users, particularly affecting high privilege roles like administrators. Successful exploitation could allow attackers to execute arbitrary scripts in the context of the affected user, potentially compromising sensitive information and system integrity.

Affected Version(s)

WordPress eCommerce Plugin 0 <= 2.9.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-14015 - Proof of Concept

References

https://wpscan.com/vulnerability/1a70927a-e345-4e2f-98da-...

exploitvdb-entrytechnical-description

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Nov 24, 2025
👾
Exploit known to exist
Nov 24, 2025
Vulnerability published
Nov 24, 2025
Vulnerability Reserved
Oct 30, 2025

Credit

Hassan Khan Yusufzai - Splint3r7

WPScan

JSON