Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in techmix Direct Checkout Button for WooCommerce woo-direct-checkout-button allows Stored XSS.This issue affects Direct Checkout Button for WooCommerce: from n/a through <= 1.0.
Published: 2025-02-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an improper neutralization of input during web page generation in the Direct Checkout Button for WooCommerce plugin, allowing an attacker to store malicious scripts that are executed whenever a visitor loads a page rendered by the plugin. This stored XSS can lead to session hijacking, credential theft, defacement or arbitrary script execution on the client side. The weakness is classified as CWE‑79.

Affected Systems

Any WordPress site running the Direct Checkout Button for WooCommerce plugin version 1.0 or older is vulnerable. The vulnerability covers all releases from the plugin’s earliest available version up to and including 1.0. Sites that have installed this plugin alongside WooCommerce and are not upgraded to a later release are susceptible.

Risk and Exploitability

The CVSS score of 6.5 reflects moderate overall risk, while an EPSS of less than 1% indicates a very low probability of exploitation in the wild. The issue is not currently listed in the CISA KEV catalog. An attacker can exploit the vulnerability by injecting a crafted input that the plugin stores and later displays, so a successful attack typically requires no special privileges and can affect all users who view the page where the payload is rendered.

Generated by OpenCVE AI on May 1, 2026 at 15:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Direct Checkout Button for WooCommerce plugin to the latest released version, which removes the XSS flaw.
  • If an upgrade cannot be performed immediately, deactivate or delete the plugin to prevent the stored payload from being served.
  • Validate that the site’s remaining plugins and themes do not contain similar input handling flaws, and run a comprehensive security scan for injected scripts.
  • Monitor site logs for unusual user‑agent activity or error messages that may indicate attempts to re‑inject malicious content.

Generated by OpenCVE AI on May 1, 2026 at 15:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4319 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in techmix Direct Checkout Button for WooCommerce allows Stored XSS. This issue affects Direct Checkout Button for WooCommerce: from n/a through 1.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in techmix Direct Checkout Button for WooCommerce allows Stored XSS. This issue affects Direct Checkout Button for WooCommerce: from n/a through 1.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in techmix Direct Checkout Button for WooCommerce woo-direct-checkout-button allows Stored XSS.This issue affects Direct Checkout Button for WooCommerce: from n/a through <= 1.0.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Mon, 24 Feb 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 24 Feb 2025 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in techmix Direct Checkout Button for WooCommerce allows Stored XSS. This issue affects Direct Checkout Button for WooCommerce: from n/a through 1.0.
Title WordPress Direct Checkout Button for WooCommerce plugin <= 1.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:48.830Z

Reserved: 2025-02-21T16:46:02.627Z

Link: CVE-2025-27347

cve-icon Vulnrichment

Updated: 2025-02-24T16:48:27.756Z

cve-icon NVD

Status : Deferred

Published: 2025-02-24T15:15:20.097

Modified: 2026-04-23T15:26:25.010

Link: CVE-2025-27347

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T15:45:16Z

Weaknesses