Stored XSS Vulnerability in WPFactory Product Notes for WooCommerce
CVE-2025-48239

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Product Notes Tab & Private Admin Notes For WooCommerce
Vendor: CVE Published:; 19 May 2025

What is CVE-2025-48239?

A stored cross-site scripting (XSS) vulnerability exists in the WPFactory Product Notes Tab & Private Admin Notes for WooCommerce plugin. This flaw allows attackers to inject malicious scripts into the application's web pages, which can then be executed in the browsers of users who view these pages. This vulnerability is particularly concerning as it can lead to unauthorized data exposure, session hijacking, and other malicious activities. The affected versions range from any prior version through 3.1.0, making it imperative for users to update to secure their environments.

Affected Version(s)

Product Notes Tab & Private Admin Notes for WooCommerce <= 3.1.0

References

https://patchstack.com/database/wordpress/plugin/product-...

vdb-entry

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2025
Vulnerability Reserved
May 19, 2025

Credit

muhammad yudha (Patchstack Alliance)