CVE-2025-49042

2025-10-29 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Oct 29, 2025 - 05:15 nvd
N/A

Tags

WordPress PHP XSS Woocommerce

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce woocommerce allows Stored XSS.This issue affects WooCommerce: from n/a through <= 10.0.2.

Analysis

Stored cross-site scripting (XSS) vulnerability in Automattic WooCommerce through version 10.0.2 allows attackers to inject malicious scripts that persist in the application and execute in the browsers of other users. The vulnerability stems from improper input neutralization during web page generation, enabling authenticated or lower-privileged users to compromise the integrity of the WooCommerce storefront and potentially steal customer data or perform actions on behalf of administrators.

Technical Context

This vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation), a class of weakness where user-supplied input is not properly sanitized or escaped before being rendered in HTML context. In WooCommerce, the affected component fails to neutralize untrusted input at the point of storage or retrieval, allowing script code to be persisted in the database and executed when the stored content is rendered to other users. The attack surface likely involves product descriptions, user-generated content fields, or administrative input mechanisms where WooCommerce does not apply sufficient output encoding (e.g., HTML entity encoding or context-aware escaping) before displaying the data.

Affected Products

Automattic WooCommerce versions up to and including 10.0.2 are affected. The vulnerability impacts all installations running WooCommerce through version 10.0.2 across WordPress plugin deployments. CPE references would typically follow the pattern for WordPress plugins, affecting any site utilizing the vulnerable WooCommerce version regardless of WordPress core version.

Remediation

Upgrade WooCommerce to a patched version beyond 10.0.2 as soon as possible. Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/woocommerce/vulnerability/wordpress-woocommerce-plugin-10-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve for specific fixed version details and comprehensive remediation guidance. In the interim, implement strict input validation and output encoding practices across all WooCommerce-managed content fields, restrict administrative access to product and content editing functionality, and review recent changes to stored content for injected scripts.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-49042 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy