Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dugudlabs SpecFit-Virtual Try On Woocommerce try-on-for-woocommerce allows Stored XSS.This issue affects SpecFit-Virtual Try On Woocommerce: from n/a through <= 8.0.3.
Published: 2025-06-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The SpecFit‑Virtual Try On WooCommerce plugin suffers from improper neutralization of input that allows attackers to store malicious scripts in the site. When a user views the affected content, the stored script is rendered, enabling arbitrary JavaScript execution in the browsers of all visitors to the site. This flaw, classified as CWE‑79, can result in session hijacking, defacement, or other malicious actions performed within the victim's environment.

Affected Systems

WordPress sites that have the dugudlabs SpecFit‑Virtual Try On WooCommerce plugin installed in any version up to and including 8.0.3 are vulnerable. The issue is present from the earliest releases through 8.0.3; versions 8.0.4 and later are not affected.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity while the EPSS score of less than 1% suggests a low current exploitation probability. The flaw is not listed in the CISA KEV catalog. The likely attack vector inferred from the description is that an attacker crafts malicious input through a plugin interface that is stored and later rendered. Because the stored payload is executed in any visitor's browser, the impact can be widespread on the site, although the opportunity for exploitation depends on the visibility of the vulnerable interface. The attack can be carried out by users who can submit content via the plugin, and the output is displayed without proper sanitization.

Generated by OpenCVE AI on May 2, 2026 at 01:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SpecFit‑Virtual Try On WooCommerce plugin to version 8.0.4 or later.
  • If no upgrade is available, uninstall or disable the plugin to eliminate the vulnerability.
  • If the plugin must remain active, restrict input to trusted administrators only, enforce strict sanitization of all user input, and configure a web application firewall to block malicious scripts.

Generated by OpenCVE AI on May 2, 2026 at 01:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19319 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dugudlabs SpecFit-Virtual Try On Woocommerce allows Stored XSS. This issue affects SpecFit-Virtual Try On Woocommerce: from n/a through 7.0.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dugudlabs SpecFit-Virtual Try On Woocommerce allows Stored XSS. This issue affects SpecFit-Virtual Try On Woocommerce: from n/a through 7.0.6. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dugudlabs SpecFit-Virtual Try On Woocommerce try-on-for-woocommerce allows Stored XSS.This issue affects SpecFit-Virtual Try On Woocommerce: from n/a through <= 8.0.3.
Title WordPress SpecFit-Virtual Try On Woocommerce plugin <= 7.0.6 - Cross Site Scripting (XSS) Vulnerability WordPress SpecFit-Virtual Try On Woocommerce plugin <= 8.0.3 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 27 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Jun 2025 12:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dugudlabs SpecFit-Virtual Try On Woocommerce allows Stored XSS. This issue affects SpecFit-Virtual Try On Woocommerce: from n/a through 7.0.6.
Title WordPress SpecFit-Virtual Try On Woocommerce plugin <= 7.0.6 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-13T00:02:07.226Z

Reserved: 2025-01-16T11:33:14.049Z

Link: CVE-2025-23973

cve-icon Vulnrichment

Updated: 2025-06-27T12:43:03.740Z

cve-icon NVD

Status : Deferred

Published: 2025-06-27T12:15:30.430

Modified: 2026-06-17T08:57:49.230

Link: CVE-2025-23973

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T01:30:16Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')