Woocommerce Designer Pro
Monthly
Stored Cross-Site Scripting in WooCommerce Designer Pro (WordPress plugin) versions 1.9.34 and earlier allows authenticated subscribers to inject malicious scripts that execute in the browsers of other users, including administrators. The scope change (S:C in CVSS) indicates injected payloads can cross privilege boundaries, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the subscriber-level entry point lowers the bar for exploitation on any site permitting account registration.
Stored Cross-Site Scripting in WooCommerce Designer Pro (WordPress plugin) versions 1.9.34 and earlier allows authenticated subscribers to inject malicious scripts that execute in the browsers of other users, including administrators. The scope change (S:C in CVSS) indicates injected payloads can cross privilege boundaries, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code and no CISA KEV listing have been identified at time of analysis, though the subscriber-level entry point lowers the bar for exploitation on any site permitting account registration.