Skip to main content

Dropify wc-dropi-integration CVE-2025-53286

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-11-06 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

6
Analysis Updated
Apr 24, 2026 - 00:51 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
Severity Changed
Apr 23, 2026 - 15:43 NVD
MEDIUM HIGH
CVSS changed
Apr 23, 2026 - 15:43 NVD
6.1 (MEDIUM) 7.1 (HIGH)
Analysis Generated
Mar 28, 2026 - 19:20 vuln.today
CVE Published
Nov 06, 2025 - 16:15 nvd
MEDIUM 6.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jhainey Milevis Dropify wc-dropi-integration allows Reflected XSS.This issue affects Dropify: from n/a through <= 4.6.9.

AnalysisAI

Reflected cross-site scripting in Dropify wc-dropi-integration plugin (WordPress) through version 4.6.9 allows remote attackers to execute arbitrary JavaScript in victim browsers via maliciously crafted URLs. Attack requires user interaction (victim must click malicious link) but no authentication, enabling phishing campaigns and session hijacking. EPSS score of 0.05% (17th percentile) indicates low widespread exploitation probability, with no CISA KEV listing or public proof-of-concept identified at time of analysis.

Technical ContextAI

This vulnerability affects the Dropify WooCommerce integration plugin (wc-dropi-integration) for WordPress. The flaw stems from improper input neutralization during web page generation (CWE-79), a classic reflected XSS vulnerability class. User-supplied input in HTTP request parameters is incorporated into HTML responses without adequate sanitization or encoding. This allows attackers to inject malicious JavaScript that executes in the security context of the vulnerable site when victims access attacker-controlled URLs. The CVSS vector indicates network-based exploitation with low attack complexity, but the Changed scope (S:C) suggests the injected script can access resources beyond the vulnerable component itself, potentially targeting parent WordPress installation or WooCommerce data.

Affected ProductsAI

Dropify wc-dropi-integration plugin for WordPress, all versions up to and including 4.6.9. Per Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/wc-dropi-integration/vulnerability/wordpress-dropify-plugin-4-6-9-cross-site-scripting-xss-vulnerability), this affects the WooCommerce integration component. The vulnerability was reported by audit@patchstack.com through their WordPress plugin security research program.

RemediationAI

Upgrade Dropify wc-dropi-integration plugin to version 4.7.0 or later if available (verify current version at WordPress plugin repository or vendor site). Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wc-dropi-integration/vulnerability/wordpress-dropify-plugin-4-6-9-cross-site-scripting-xss-vulnerability for patch confirmation and additional vendor guidance. If immediate patching is not feasible, implement compensating controls: configure Web Application Firewall rules to sanitize reflected parameters in requests to the plugin endpoints (may break legitimate functionality - test thoroughly), implement Content Security Policy headers restricting script execution to trusted sources only (note: CSP is defense-in-depth, not a complete XSS mitigation), and restrict WordPress admin panel access to trusted IP ranges via server-level access controls to limit phishing attack surface.

Share

CVE-2025-53286 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy