Stored Cross-Site Scripting Vulnerability in WooCommerce Stock History & Reports Manager Plugin
CVE-2025-10167

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Stock History & Reports Manager For WooCommerce
Vendor: CVE Published:; 11 October 2025

What is CVE-2025-10167?

The Stock History & Reports Manager for WooCommerce plugin is susceptible to Stored Cross-Site Scripting due to inadequate sanitization and escaping processes for attributes used in the 'alg_wc_stock_snapshot_restocked' shortcode. This vulnerability allows authenticated users with contributor-level access and higher to inject malicious web scripts into pages, which can be executed when other users view the infected pages, potentially leading to data theft or unauthorized actions.

Affected Version(s)

Stock History & Reports Manager for WooCommerce * <= 2.2.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/stock-snapshot...

https://wordpress.org/plugins/stock-snapshot-for-woocommerce

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Oct 11, 2025
Vulnerability Reserved
Sep 9, 2025

Credit

Djaidja Moundjid

JSON