Skip to main content

Email Attachment by Order Status & Products CVE-2025-49957

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-10-22 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Apr 28, 2026 - 20:00 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Weboccult Technologies Pvt Ltd Email Attachment by Order Status & Products email-attachment-by-order-status-products allows Reflected XSS.This issue affects Email Attachment by Order Status & Products: from n/a through <= 1.0.1.

AnalysisAI

Reflected cross-site scripting in Email Attachment by Order Status & Products WordPress plugin versions ≤1.0.1 allows remote unauthenticated attackers to execute arbitrary JavaScript in victim browsers through low-complexity attacks requiring user interaction. The vulnerability enables cross-site scope impact (S:C), allowing attackers to compromise confidentiality, integrity, and availability at a low level across security boundaries. No active exploitation or public POC is confirmed at time of analysis, with EPSS data unavailable for this recently published CVE.

Technical ContextAI

This is a reflected XSS vulnerability (CWE-79) in a WordPress plugin that manages email attachments based on WooCommerce order statuses. Reflected XSS occurs when user-supplied input is immediately returned by a web application without proper validation or sanitization, allowing malicious scripts to execute in the context of the victim's browser session. The plugin handles order-related data and email attachment configurations, likely exposing admin interface parameters or customer-facing order pages to script injection. The CVSS vector indicates changed scope (S:C), meaning successful exploitation can affect resources beyond the vulnerable component's security scope, potentially compromising WordPress session tokens, admin cookies, or other site resources.

Affected ProductsAI

WordPress plugin 'Email Attachment by Order Status & Products' developed by Weboccult Technologies Pvt Ltd, all versions from inception through version 1.0.1 inclusive. The plugin is available in the WordPress plugin repository and is designed for WooCommerce integration. Vendor advisory and detailed affected version information available at Patchstack database: https://patchstack.com/database/Wordpress/Plugin/email-attachment-by-order-status-products/vulnerability/wordpress-email-attachment-by-order-status-products-plugin-1-0-1-cross-site-scripting-xss-vulnerability.

RemediationAI

Upgrade to Email Attachment by Order Status & Products version 1.0.2 or later if available from the WordPress plugin repository or vendor. Verify the patched version directly through WordPress admin dashboard or the official plugin page before deployment. If no patched version is available, consider disabling the plugin until a fix is released, particularly if it processes untrusted user input or is accessible to non-admin users. As compensating controls while awaiting patch deployment: implement Web Application Firewall (WAF) rules to detect and block common XSS patterns in requests to the plugin's endpoints (note: may cause false positives with legitimate special characters in order data); restrict plugin access to trusted administrator accounts only through WordPress role management (reduces attack surface but does not eliminate risk from targeted phishing); deploy Content Security Policy (CSP) headers with strict script-src directives to limit inline JavaScript execution (may break plugin functionality if it relies on inline scripts). Consult Patchstack advisory for vendor-specific guidance: https://patchstack.com/database/Wordpress/Plugin/email-attachment-by-order-status-products/vulnerability/wordpress-email-attachment-by-order-status-products-plugin-1-0-1-cross-site-scripting-xss-vulnerability.

Share

CVE-2025-49957 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy