Description
The WPC Badge Management for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' attribute of the `wpcbm_best_seller` shortcode in all versions up to, and including, 3.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-13
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WPC Badge Management for WooCommerce plugin stores user‑supplied text entered into the 'text' attribute of the wpcbm_best_seller shortcode without proper sanitization or escaping, enabling an attacker with Shop Manager‑level or higher privileges to inject arbitrary JavaScript that is persisted in the database. When a page containing that shortcode is viewed, the injected script executes in the browser of every user who accesses the page, allowing the attacker to run any code the user’s browser can execute.

Affected Systems

All releases of the WPC Badge Management for WooCommerce plugin by wpclever with version 3.1.6 or earlier are vulnerable. WordPress sites that permit Shop Manager or equivalent roles to create or edit shortcode content are at risk.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.5 and is not listed in CISA KEV; its EPSS score is not available. Exploitation requires authenticated access to modify shortcode content, limiting the threat to privileged users, but once injected the stored payload will affect every visitor to the affected page.

Generated by OpenCVE AI on May 13, 2026 at 09:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WPC Badge Management for WooCommerce plugin to the latest version that removes the XSS flaw.
  • If an immediate upgrade is not possible, remove or disable the 'text' attribute from existing wpcbm_best_seller entries so that stored scripts are not rendered.
  • Audit all stored shortcode content for unexpected or malicious script tags and delete or sanitize any that are discovered.

Generated by OpenCVE AI on May 13, 2026 at 09:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpclever
Wpclever wpc Badge Management For Woocommerce
Vendors & Products Wordpress
Wordpress wordpress
Wpclever
Wpclever wpc Badge Management For Woocommerce

Wed, 13 May 2026 08:15:00 +0000

Type Values Removed Values Added
Description The WPC Badge Management for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' attribute of the `wpcbm_best_seller` shortcode in all versions up to, and including, 3.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title WPC Badge Management for WooCommerce <= 3.1.6 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via 'text' Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wpclever Wpc Badge Management For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-13T10:20:27.514Z

Reserved: 2025-12-16T01:10:30.474Z

Link: CVE-2025-14767

cve-icon Vulnrichment

Updated: 2026-05-13T10:18:19.727Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T08:16:15.027

Modified: 2026-05-13T14:43:46.717

Link: CVE-2025-14767

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:00:11Z

Weaknesses