Description
The Kadence WooCommerce Email Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the customer name in all versions up to, and including, 1.5.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-12-02
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting allowing unauthenticated script injection
Action: Apply Patch
AI Analysis

Impact

The Kadence WooCommerce Email Designer plugin is vulnerable to stored cross‑site scripting due to insufficient sanitization of the customer name field, allowing unauthenticated attackers to insert arbitrary scripts that execute when any user views the affected page, potentially leading to defacement, credential theft, or other XSS‑related attacks.

Affected Systems

The vulnerability affects the Kadence WooCommerce Email Designer WordPress plugin from the publisher StellarWP, impacting all versions up to and including 1.5.17. No specific sub‑versions beyond 1.5.17 are listed as affected.

Risk and Exploitability

The exploitability is rated with a CVSS score of 7.2 and an EPSS of less than 1 %, indicating a moderate severity but a very low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is a web‑based form or API that accepts customer name input without proper escaping, and the attack does not require authentication.

Generated by OpenCVE AI on April 22, 2026 at 21:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kadence WooCommerce Email Designer to the latest available version to remove the vulnerability.
  • If an immediate upgrade is not possible, consider removing or disabling the plugin until a patched version is available.
  • Deploy a Web Application Firewall rule or enforce a strict Content Security Policy to block injected scripts in the customer name field as a temporary safeguard.

Generated by OpenCVE AI on April 22, 2026 at 21:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Dec 2025 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Kadencewp
Kadencewp kadence Woocommerce Email Designer
Wordpress
Wordpress wordpress
Vendors & Products Kadencewp
Kadencewp kadence Woocommerce Email Designer
Wordpress
Wordpress wordpress

Tue, 02 Dec 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Kadence WooCommerce Email Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the customer name in all versions up to, and including, 1.5.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Kadence WooCommerce Email Designer <= 1.5.17 - Unauthenticated Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Kadencewp Kadence Woocommerce Email Designer
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:40:43.158Z

Reserved: 2025-11-18T21:09:56.134Z

Link: CVE-2025-13387

cve-icon Vulnrichment

Updated: 2025-12-02T14:28:12.595Z

cve-icon NVD

Status : Deferred

Published: 2025-12-02T05:16:17.163

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13387

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T21:15:27Z

Weaknesses