Description
The Big Post Shipping for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wooboigpost_shipping_status' shortcode in all versions up to, and including, 2.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-09-30
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (Contributor+)
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw in the wooboigpost_shipping_status shortcode of the Big Post Shipping for WooCommerce plugin. Insufficient input sanitization and output escaping allow authenticated users with contributor level or higher to inject arbitrary scripts via the shortcode’s attributes. When a page containing the shortcode is rendered, the injected scripts execute in the browsers of any user who views that page, potentially enabling credential theft, session hijacking, defacement, or other malicious actions.

Affected Systems

All WordPress sites running the Big Post Shipping for WooCommerce plugin from fusedsoftware version 2.1.2 or earlier are affected. The flaw resides in the plugin’s shortcode implementation and is unrelated to the core WordPress software. Sites that have upgraded past version 2.1.2 or that never installed the plugin are not impacted.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity, while an EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, and the required attack vector is authenticated; an attacker must possess a contributor‑level or higher account, reducing the overall threat compared to publicly exploitable flaws.

Generated by OpenCVE AI on April 22, 2026 at 13:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Big Post Shipping plugin to the latest version, which removes the vulnerable shortcode processing.
  • Restrict access to the Contributor role to trusted personnel only, or remove the role if unnecessary.
  • If an immediate update is not feasible, delete or disable the wooboigpost_shipping_status shortcode handler or apply a filter that escapes attributes for all posts that use the shortcode.

Generated by OpenCVE AI on April 22, 2026 at 13:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31688 The Big Post Shipping for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wooboigpost_shipping_status' shortcode in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description The Big Post Shipping for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wooboigpost_shipping_status' shortcode in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The Big Post Shipping for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wooboigpost_shipping_status' shortcode in all versions up to, and including, 2.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Big Post Shipping for WooCommerce <= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting Big Post Shipping for WooCommerce <= 2.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
References

Tue, 30 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Sep 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Fusedsoftware
Fusedsoftware big Post Shipping For Woocommerce
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Fusedsoftware
Fusedsoftware big Post Shipping For Woocommerce
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Tue, 30 Sep 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Big Post Shipping for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wooboigpost_shipping_status' shortcode in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Big Post Shipping for WooCommerce <= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Fusedsoftware Big Post Shipping For Woocommerce
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:11:27.925Z

Reserved: 2025-09-09T15:55:44.110Z

Link: CVE-2025-10191

cve-icon Vulnrichment

Updated: 2025-09-30T15:29:22.401Z

cve-icon NVD

Status : Deferred

Published: 2025-09-30T11:37:38.193

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10191

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:30:17Z

Weaknesses