Stored Cross-Site Scripting Vulnerability in Product Subtitle for WooCommerce Plugin by WordPress
CVE-2025-5285

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Product Subtitle For WooCommerce
Vendor: CVE Published:; 31 May 2025

What is CVE-2025-5285?

The Product Subtitle for WooCommerce plugin is susceptible to a Stored Cross-Site Scripting vulnerability stemming from improper input validation and output sanitization. Authenticated users with Contributor privileges can exploit this flaw through the ‘htmlTag’ parameter, allowing them to inject malicious web scripts. When a page containing these scripts is accessed by other users, the scripts execute, potentially compromising their browsing experience and data integrity.

Affected Version(s)

Product Subtitle for WooCommerce * <= 1.3.9

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/product-subtit...

https://wordpress.org/plugins/product-subtitle-for-woocom...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 31, 2025
Vulnerability Reserved
May 27, 2025

Credit

Peter Thaleikis