Description
The Woocommerce – Products By Custom Tax plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'woo_products_custom_tax' shortcode in all versions up to, and including, 2.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-11-11
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The WooCommerce – Products By Custom Tax plugin is vulnerable to stored cross‑site scripting through the woo_products_custom_tax shortcode. Input attributes are not properly sanitized or escaped, allowing an authenticated user with contributor‑level access or higher to inject arbitrary JavaScript that is saved to the page and executed whenever any visitor loads the affected content. The description does not detail the specific consequences of the injected script; it only states that the script runs in the context of legitimate users. Based on the description, the attacker must have contributor‑level access or higher to inject the payload.

Affected Systems

WordPress sites that have installed the WooCommerce – Products By Custom Tax plugin by the vendor Elvismdev. All plugin versions up to and including 2.2 are affected.

Risk and Exploitability

The CVSS score of 6.4 indicates a medium severity exposure. The EPSS score is below 1%, suggesting a low likelihood of mass exploitation at this time, and the vulnerability is not currently listed in the CISA KEV catalog. However, the attack requires an authenticated contributor‑level role; once the payload is stored it will affect all users who view the injected page. Given that the payload can affect all users who view the injected page, administrators should consider this a priority issue.

Generated by OpenCVE AI on April 22, 2026 at 00:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WooCommerce – Products By Custom Tax plugin to a version newer than 2.2.
  • If an upgrade cannot be applied immediately, revoke or downgrade contributor‑level permissions for users who can edit content or disable the woo_products_custom_tax shortcode in existing posts.
  • Deploy a web application firewall rule that detects and blocks script payloads inserted into shortcode attributes.

Generated by OpenCVE AI on April 22, 2026 at 00:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 14 Nov 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 12 Nov 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Elvismdev
Elvismdev products By Custom Tax
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Elvismdev
Elvismdev products By Custom Tax
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Tue, 11 Nov 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Woocommerce – Products By Custom Tax plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'woo_products_custom_tax' shortcode in all versions up to, and including, 2.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Woocommerce – Products By Custom Tax <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Elvismdev Products By Custom Tax
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:23:36.056Z

Reserved: 2025-10-15T17:29:32.050Z

Link: CVE-2025-11821

cve-icon Vulnrichment

Updated: 2025-11-14T15:21:02.582Z

cve-icon NVD

Status : Deferred

Published: 2025-11-11T04:15:42.280

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11821

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:45:04Z

Weaknesses