Bopo Woocommerce Product Bundle Builder
Monthly
Reflected cross-site scripting in the VillaTheme Bopo - WooCommerce Product Bundle Builder plugin for WordPress affects all versions up to and including 1.2.0, letting unauthenticated attackers inject script into a victim's browser session when the victim clicks a crafted link. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C) reflects a scope change, meaning injected script executes in the WordPress site's security context and can target logged-in administrators. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but reflected XSS in WooCommerce plugins is a well-understood and easily weaponized class.
Reflected cross-site scripting in the VillaTheme Bopo - WooCommerce Product Bundle Builder plugin for WordPress affects all versions up to and including 1.2.0, letting unauthenticated attackers inject script into a victim's browser session when the victim clicks a crafted link. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C) reflects a scope change, meaning injected script executes in the WordPress site's security context and can target logged-in administrators. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but reflected XSS in WooCommerce plugins is a well-understood and easily weaponized class.