Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Additional Custom Product Tabs for WooCommerce product-tabs-for-woocommerce allows Stored XSS.This issue affects Additional Custom Product Tabs for WooCommerce: from n/a through <= 1.7.0.
Published: 2025-04-15
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored cross‑site scripting flaw exists in WPFactory’s Additional Custom Product Tabs for WooCommerce – the plugin fails to neutralize user input that is rendered in product pages. An attacker who can inject crafted content into a product tab can cause that script to run in the browsers of any site visitor, potentially leading to session hijacking, defacement, or disclosure of sensitive data. The weakness is a classic CWE‑79 type input validation failure.

Affected Systems

WPFactory’s Additional Custom Product Tabs for WooCommerce plugin, versions from the earliest release through 1.7.0, is vulnerable. Any WordPress site using these versions of the plugin is at risk.

Risk and Exploitability

The CVSS score of 6.5 places the vulnerability in the medium severity range, while an EPSS score of <1% indicates a low likelihood of exploitation at the time of analysis and the issue is not listed in the CISA KEV catalog. Based on the description, it is inferred that attackers can exploit the flaw via the plugin’s interface for adding or editing product tabs, so site administrators with sufficient privileges are required to craft the malicious input. Given its stored‑XSS nature, once injected the payload executes for all users, making it a potentially widespread impact for affected sites.

Generated by OpenCVE AI on May 2, 2026 at 11:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest plugin version available, which is any version later than 1.7.0.
  • If an upgrade is not immediately possible, limit access to product‑tab editing to trusted users and monitor changes for suspicious content.
  • Implement a site‑wide content security policy (CSP) to restrict execution of untrusted scripts as a fallback mitigation.

Generated by OpenCVE AI on May 2, 2026 at 11:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11124 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Additional Custom Product Tabs for WooCommerce allows Stored XSS. This issue affects Additional Custom Product Tabs for WooCommerce: from n/a through 1.7.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Additional Custom Product Tabs for WooCommerce allows Stored XSS. This issue affects Additional Custom Product Tabs for WooCommerce: from n/a through 1.7.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Additional Custom Product Tabs for WooCommerce product-tabs-for-woocommerce allows Stored XSS.This issue affects Additional Custom Product Tabs for WooCommerce: from n/a through <= 1.7.0.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 16 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 15 Apr 2025 22:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Additional Custom Product Tabs for WooCommerce allows Stored XSS. This issue affects Additional Custom Product Tabs for WooCommerce: from n/a through 1.7.0.
Title WordPress Additional Custom Product Tabs for WooCommerce plugin <= 1.7.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:39.938Z

Reserved: 2025-02-14T06:53:10.326Z

Link: CVE-2025-26749

cve-icon Vulnrichment

Updated: 2025-04-16T14:58:05.928Z

cve-icon NVD

Status : Deferred

Published: 2025-04-15T22:15:17.210

Modified: 2026-06-17T09:02:22.237

Link: CVE-2025-26749

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T12:00:14Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')