Description
The Omnichannel for WooCommerce: Google, Amazon, eBay & Walmart Integration – Powered by Codisto plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sync() function in all versions up to, and including, 1.3.65 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-12-04
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS
Action: Patch
AI Analysis

Impact

The Omnichannel for WooCommerce: Google, Amazon, eBay & Walmart Integration – Powered by Codisto plugin for WordPress contains an insufficient input sanitization flaw in the sync() function that permits malicious JavaScript to be stored and subsequently executed on any affected page. This stored cross‑site scripting runs whenever a visitor accesses the page, enabling attackers to execute code in the victim’s browser context.

Affected Systems

WordPress sites running the Codisto Omnichannel plugin version 1.3.65 or earlier are vulnerable. All releases up to and including 1.3.65 contain the flaw; newer releases are free of this issue.

Risk and Exploitability

The CVSS score of 7.2 signals a high potential impact, while an EPSS score of <1% suggests a low current probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attacks can be carried out without authentication by sending a crafted sync request containing malicious payload; once stored, the script is served to all visitors when they view the affected content.

Generated by OpenCVE AI on April 21, 2026 at 17:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Codisto Omnichannel plugin to the latest release that contains the input sanitization fix.
  • Restrict access to the sync() endpoint or disable the plugin’s sync features to prevent further injection.
  • Implement a site‑wide Content Security Policy and enable X‑XSS‑Protection headers to mitigate execution of injected scripts.

Generated by OpenCVE AI on April 21, 2026 at 17:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Dec 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Codisto
Codisto omnichannel For Woocommerce
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Codisto
Codisto omnichannel For Woocommerce
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Thu, 04 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Dec 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Omnichannel for WooCommerce: Google, Amazon, eBay & Walmart Integration – Powered by Codisto plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sync() function in all versions up to, and including, 1.3.65 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Omnichannel for WooCommerce: Google, Amazon, eBay & Walmart Integration - Powered by Codisto <= 1.3.65 - Unauthenticated Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Codisto Omnichannel For Woocommerce
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:33:12.903Z

Reserved: 2025-10-13T22:46:45.514Z

Link: CVE-2025-11727

cve-icon Vulnrichment

Updated: 2025-12-04T14:19:14.397Z

cve-icon NVD

Status : Deferred

Published: 2025-12-04T05:16:23.157

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11727

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T18:00:11Z

Weaknesses