CVE-2025-64289

MEDIUM
2025-10-29 [email protected]
5.9
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Oct 29, 2025 - 09:15 nvd
MEDIUM 5.9

Tags

WordPress Woocommerce PHP XSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Premmerce Premmerce Product Search for WooCommerce premmerce-search allows Stored XSS.This issue affects Premmerce Product Search for WooCommerce: from n/a through <= 2.2.5.

Analysis

Stored XSS in Premmerce Product Search for WooCommerce through version 2.2.5 allows high-privilege authenticated users to inject malicious scripts that execute in the context of other users' browsers, affecting website visitors and administrators. The vulnerability requires user interaction (page view) to trigger payload execution and has low EPSS exploitation probability (0.02%), indicating minimal real-world risk despite the network-accessible attack vector. No public exploit code or active exploitation has been confirmed.

Technical Context

This vulnerability is a Stored Cross-Site Scripting (CWE-79) flaw in the Premmerce Product Search plugin for WordPress/WooCommerce, a search optimization extension. The plugin fails to properly sanitize and neutralize user-supplied input during HTML page generation, allowing attackers with administrator or high-privilege roles to store malicious JavaScript payloads in the plugin's data store. When other users (including lower-privilege admins or website visitors) view pages where the plugin renders search results or settings, the unsanitized payload executes in their browser session with their privileges. The affected CPE scope is WordPress plugins specifically, targeting the premmerce-search plugin component.

Affected Products

Premmerce Product Search for WooCommerce (premmerce-search plugin) through version 2.2.5. The vulnerability affects all installations of this WordPress plugin up to and including the 2.2.5 release. Exact CPE: cpe:2.3:a:premmerce:premmerce_product_search:*:*:*:*:*:wordpress:*:* (versions up to 2.2.5). Additional details and vendor advisory available at https://patchstack.com/database/Wordpress/Plugin/premmerce-search/vulnerability/wordpress-premmerce-product-search-for-woocommerce-plugin-2-2-4-cross-site-scripting-xss-vulnerability?_s_id=cve

Remediation

Update Premmerce Product Search for WooCommerce to version 2.2.6 or later, which includes input sanitization fixes for the vulnerable code path. Site administrators should navigate to Plugins > Installed Plugins in WordPress dashboard, locate Premmerce Product Search, and click Update if available. If automatic updates are not enabled, manually download the latest version from the plugin's official repository and upload via Plugins > Add New > Upload Plugin. Users should verify the patch version number in the plugin details after update to confirm the fix has been applied. Consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/premmerce-search/) for detailed patching guidance specific to your site configuration.

Priority Score

30
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +30
POC: 0

Share

CVE-2025-64289 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy