How to fix CVE-2025-49958?

Within 24 hours: Identify all WooCommerce installations running Robokassa plugin and document current versions via plugin management dashboard. Within 7 days: Contact Robokassa vendor for patch availability status and interim guidance; disable the plugin if no update path exists and no compensating controls are feasible. Within 30 days: Either apply vendor-released patch to versions >1.8.5 once available, or implement alternative payment gateway and migrate merchant accounts.

Is Woocommerce affected by CVE-2025-49958?

The Robokassa Payment Gateway for WooCommerce plugin (versions ≤1.8.5) contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts into customer-facing payment pages, potentially enabling session hijacking and unauthorized transactions.

CVE-2025-49958

HIGH

2025-10-22 [email protected]

7.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

Apr 01, 2026 - 15:22 vuln.today

CVE Published

Oct 22, 2025 - 15:15 nvd

HIGH 7.1

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in robokassa Robokassa payment gateway for Woocommerce robokassa allows Reflected XSS.This issue affects Robokassa payment gateway for Woocommerce: from n/a through <= 1.8.5.

Analysis

Reflected cross-site scripting in Robokassa Payment Gateway for WooCommerce plugin (versions ≤1.8.5) allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability enables changed-scope attacks where attackers can steal session tokens, perform unauthorized actions, or redirect victims to malicious sites through crafted URLs. No public exploit identified at time of analysis, with EPSS score of 0.03% indicating minimal observed exploitation activity.

Technical Context

This vulnerability affects the Robokassa payment gateway WordPress plugin for WooCommerce, a payment processing integration for Russian e-commerce sites. The flaw is classified as CWE-79 (Cross-site Scripting), specifically a reflected XSS variant where unsanitized user input is immediately returned in HTTP responses without proper encoding or validation. Unlike stored XSS, reflected XSS requires social engineering to deliver malicious payloads via crafted URLs or form submissions. The changed scope (S:C) in the CVSS vector indicates the vulnerability can affect resources beyond the vulnerable component itself, allowing attackers to execute scripts in the context of the WooCommerce store's domain and access cookies, session tokens, or perform actions as the victim user. Given this is a payment gateway plugin, the attack surface includes checkout flows and payment confirmation pages where user-controllable parameters may be reflected without sanitization.

Affected Products

The vulnerability impacts Robokassa Payment Gateway for WooCommerce plugin for WordPress, affecting all versions from the initial release through version 1.8.5 inclusive. This is a third-party WordPress plugin developed by robokassa that integrates the Robokassa payment processing service with WooCommerce e-commerce platforms. The affected product is specifically the WordPress plugin package, not the core Robokassa payment service itself. Organizations running WooCommerce stores with this plugin installed at versions 1.8.5 or earlier are vulnerable. The vulnerability was reported by Patchstack's audit team, and detailed information is available in the Patchstack vulnerability database at https://patchstack.com/database/Wordpress/Plugin/robokassa/vulnerability/wordpress-robokassa-payment-gateway-for-woocommerce-plugin-1-7-3-cross-site-scripting-xss-vulnerability?_s_id=cve. Note that the Patchstack URL references version 1.7.3 in the path, but the CVE description confirms the vulnerability extends through version 1.8.5.

Remediation

Immediately update the Robokassa Payment Gateway for WooCommerce plugin to a version newer than 1.8.5 if available through the WordPress plugin repository or vendor channels. Administrators should check the official WordPress plugin directory or contact Robokassa support for the latest patched release. If an updated version is not yet available or cannot be immediately deployed, consider temporarily disabling the plugin and implementing alternative payment gateway solutions until a fix is confirmed. As an interim mitigation, implement Web Application Firewall (WAF) rules to filter potentially malicious parameters in requests to Robokassa payment pages, and enforce Content Security Policy (CSP) headers to restrict inline script execution. Review server logs for suspicious parameter patterns targeting the plugin's endpoints. Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/robokassa/ for specific technical details and any vendor-provided patches. Organizations not using Robokassa payment services should remove the plugin entirely to eliminate the attack surface.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +36

POC: 0

CVE-2025-49958 vulnerability details – vuln.today

Back

CVE-2025-49958

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-49958

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code