EUVD-2025-17538CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
3Tags
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Richard Perdaan WC MyParcel Belgium allows Reflected XSS. This issue affects WC MyParcel Belgium: from 4.5.5 through beta.
Analysis
Reflected Cross-Site Scripting (XSS) vulnerability in the WC MyParcel Belgium WordPress plugin (versions 4.5.5 through beta) that allows unauthenticated attackers to inject arbitrary JavaScript into web pages viewed by users. An attacker can craft a malicious URL to execute scripts in a victim's browser within the context of the affected website, potentially stealing session cookies, performing unauthorized actions, or redirecting users to phishing sites. The CVSS 7.1 score reflects moderate severity with network-based attack vector, no privilege requirements, and user interaction dependency; active exploitation status and POC availability are currently unknown from public sources.
Technical Context
This vulnerability exploits improper input sanitization in the WC MyParcel Belgium plugin, which is a WordPress extension for e-commerce shipping integration with MyParcel (a Belgian parcel delivery service). The root cause is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), indicating that user-supplied input is reflected directly into HTTP responses without proper encoding or validation. The affected product likely processes URL parameters or form data that are then rendered in HTML contexts without escaping special characters (such as <, >, ", '). This is a classic Reflected XSS vulnerability where the malicious payload must be delivered via a crafted URL or form submission, distinguishing it from Stored XSS. The WordPress plugin architecture suggests the vulnerability exists in a page handler, AJAX endpoint, or parameter processing function within the plugin's codebase.
Affected Products
WC MyParcel Belgium (WordPress Plugin) - Affected Versions: 4.5.5 through beta (inclusive). The plugin is maintained by Richard Perdaan and integrates with the MyParcel shipping platform. Estimated CPE: cpe:2.3:a:richard_perdaan:wc_myparcel_belgium:*:*:*:*:*:wordpress:*:* (versions 4.5.5 and later up to and including beta releases). Affected installations include all WordPress sites running WC MyParcel Belgium within the specified version range. Secondary affected parties include users of WordPress e-commerce platforms (WooCommerce) that depend on this plugin for shipping label generation and tracking integration.
Remediation
Immediate actions: (1) Update WC MyParcel Belgium to the latest stable release beyond beta that includes XSS input validation fixes - contact Richard Perdaan or check the WordPress.org plugin repository for patched versions; (2) If no patch is available, disable the WC MyParcel Belgium plugin temporarily and switch to an alternative shipping integration method; (3) Implement Web Application Firewall (WAF) rules to detect and block reflected XSS payloads in URL parameters commonly used by the plugin; (4) Apply WordPress security hardening: update WordPress core, all plugins, and themes to latest versions, and enable Content Security Policy (CSP) headers to restrict inline script execution. Long-term: Monitor the official plugin repository and vendor security advisories for patch releases. Developers should review and patch input validation in page handlers, AJAX endpoints, and template rendering functions to use proper output encoding functions (e.g., esc_attr(), esc_html(), wp_kses_post() in WordPress).
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today