Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in oneteamsoftware Radio Buttons and Swatches for WooCommerce variations-radio-buttons-for-woocommerce allows Reflected XSS.This issue affects Radio Buttons and Swatches for WooCommerce: from n/a through <= 1.1.20.
Published: 2025-01-31
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user‑supplied input during web page generation allows reflected XSS. An attacker could embed malicious scripts in a URL or form field that, when processed by the plugin, execute in the browser of anyone who clicks the crafted link or submits the form. This can lead to credential theft, session hijacking, defacement, or the execution of arbitrary JavaScript in the victim’s context. The weakness is a classic input‑validation flaw—CWE‑79.

Affected Systems

This issue affects WordPress sites that use the "Radio Buttons and Swatches for WooCommerce" plugin from oneteamsoftware. All versions up to and including 1.1.20 are vulnerable; newer releases are not impacted.

Risk and Exploitability

The CVSS v3.1 base score is 7.1, indicating a high‑severity vulnerability. The EPSS score is < 1 %, so the likelihood of exploitation in the wild is currently low. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Based on the described reflected nature and typical web‑application entry points, the most likely attack vector is via a maliciously crafted URL or form submission that an unsuspecting user follows or submits. The attack requires user interaction with the target site but can be automated if an attacker can load the crafted request.

Generated by OpenCVE AI on May 1, 2026 at 17:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Radio Buttons and Swatches for WooCommerce plugin to version 1.1.21 or later.
  • If an immediate upgrade is not possible, remove the plugin or disable its functionality until a patch is applied.
  • Configure a Web Application Firewall or use a security plugin to block or filter JavaScript payloads in incoming requests.

Generated by OpenCVE AI on May 1, 2026 at 17:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3760 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OneTeamSoftware Radio Buttons and Swatches for WooCommerce allows Reflected XSS. This issue affects Radio Buttons and Swatches for WooCommerce: from n/a through 1.1.20.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OneTeamSoftware Radio Buttons and Swatches for WooCommerce allows Reflected XSS. This issue affects Radio Buttons and Swatches for WooCommerce: from n/a through 1.1.20. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in oneteamsoftware Radio Buttons and Swatches for WooCommerce variations-radio-buttons-for-woocommerce allows Reflected XSS.This issue affects Radio Buttons and Swatches for WooCommerce: from n/a through <= 1.1.20.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00035}

 epss

{'score': 0.00045}

Mon, 10 Feb 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 31 Jan 2025 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OneTeamSoftware Radio Buttons and Swatches for WooCommerce allows Reflected XSS. This issue affects Radio Buttons and Swatches for WooCommerce: from n/a through 1.1.20.
Title WordPress Radio Buttons and Swatches for WooCommerce plugin <= 1.1.20 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:28.435Z

Reserved: 2025-01-23T14:50:18.329Z

Link: CVE-2025-24551

cve-icon Vulnrichment

Updated: 2025-01-31T15:36:13.864Z

cve-icon NVD

Status : Deferred

Published: 2025-01-31T09:15:10.170

Modified: 2026-04-23T15:24:59.217

Link: CVE-2025-24551

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T18:00:09Z

Weaknesses