The S3Player plugin for WooCommerce and Elementor Integration fails to properly neutralize user‑supplied input before rendering it as part of a web page, enabling attackers to store and subsequently inject malicious JavaScript. This stored XSS flaw allows an attacker who can submit content—such as via a post, comment, or plugin configuration—to place code that will be executed whenever a visitor loads the affected page. Potential consequences include hijacking of user sessions, theft of credentials, or the insertion of additional malicious payloads within the site.

WordPress installations that have the S3Player – WooCommerce & Elementor Integration plugin from S3Bubble, versions up through 4.2.1, are vulnerable. Any site that has previously installed this plugin before the last version available is at risk if the plugin remains active.

The vulnerability is rated a CVSS score of 6.5, indicating a moderate severity. Its EPSS score is below 1%, implying a very low but non‑zero probability of exploitation, and it is not listed in the CISA KEV catalog. Exploitation requires that an attacker be able to submit data to the plugin’s input fields, which is typically feasible for administrators or content editors. Once submitted, the malicious script is stored and served to all site visitors who load pages that render the unfiltered content.