Stored Cross-site Scripting Vulnerability in WooCommerce by Automattic
CVE-2025-26762

5.9MEDIUM

Key Information:

Vendor: Automattic
Status: WooCommerce
Vendor: CVE Published:; 27 March 2025

What is CVE-2025-26762?

An issue has been identified in WooCommerce, developed by Automattic, where improper neutralization of input during web page generation can lead to stored Cross-site Scripting (XSS). This vulnerability affects WooCommerce versions from n/a through 9.7.0, allowing potential attackers to inject malicious scripts that run in the context of users visiting the affected web pages. It is crucial for users and site administrators to update to the latest version and implement necessary security measures to mitigate risks.

Affected Version(s)

WooCommerce 0 <= 9.7.0

References

https://patchstack.com/database/Wordpress/Plugin/woocomme...

vdb-entry

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 27, 2025
Vulnerability Reserved
Feb 14, 2025

Credit

Savphill (Patchstack Alliance)

CVE-2025-26762 Data

JSON