Dropify wc-dropi-integration CVE-2025-53286
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
6DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jhainey Milevis Dropify wc-dropi-integration allows Reflected XSS.This issue affects Dropify: from n/a through <= 4.6.9.
AnalysisAI
Reflected cross-site scripting in Dropify wc-dropi-integration plugin (WordPress) through version 4.6.9 allows remote attackers to execute arbitrary JavaScript in victim browsers via maliciously crafted URLs. Attack requires user interaction (victim must click malicious link) but no authentication, enabling phishing campaigns and session hijacking. EPSS score of 0.05% (17th percentile) indicates low widespread exploitation probability, with no CISA KEV listing or public proof-of-concept identified at time of analysis.
Technical ContextAI
This vulnerability affects the Dropify WooCommerce integration plugin (wc-dropi-integration) for WordPress. The flaw stems from improper input neutralization during web page generation (CWE-79), a classic reflected XSS vulnerability class. User-supplied input in HTTP request parameters is incorporated into HTML responses without adequate sanitization or encoding. This allows attackers to inject malicious JavaScript that executes in the security context of the vulnerable site when victims access attacker-controlled URLs. The CVSS vector indicates network-based exploitation with low attack complexity, but the Changed scope (S:C) suggests the injected script can access resources beyond the vulnerable component itself, potentially targeting parent WordPress installation or WooCommerce data.
Affected ProductsAI
Dropify wc-dropi-integration plugin for WordPress, all versions up to and including 4.6.9. Per Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/wc-dropi-integration/vulnerability/wordpress-dropify-plugin-4-6-9-cross-site-scripting-xss-vulnerability), this affects the WooCommerce integration component. The vulnerability was reported by audit@patchstack.com through their WordPress plugin security research program.
RemediationAI
Upgrade Dropify wc-dropi-integration plugin to version 4.7.0 or later if available (verify current version at WordPress plugin repository or vendor site). Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wc-dropi-integration/vulnerability/wordpress-dropify-plugin-4-6-9-cross-site-scripting-xss-vulnerability for patch confirmation and additional vendor guidance. If immediate patching is not feasible, implement compensating controls: configure Web Application Firewall rules to sanitize reflected parameters in requests to the plugin endpoints (may break legitimate functionality - test thoroughly), implement Content Security Policy headers restricting script execution to trusted sources only (note: CSP is defense-in-depth, not a complete XSS mitigation), and restrict WordPress admin panel access to trusted IP ranges via server-level access controls to limit phishing attack surface.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today