Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZoomIt WooCommerce Shop Page Builder allows Reflected XSS. This issue affects WooCommerce Shop Page Builder: from n/a through 2.27.7.
Published: 2025-08-14
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper neutralization of input during web page generation in ZoomIt WooCommerce Shop Page Builder, allowing malicious JavaScript to be reflected to site visitors. The primary known impact is that the injected script will execute in a user’s browser whenever the crafted page is loaded. Potential client‑side impacts such as cookie theft, session hijacking, defacement, or redirection to malicious sites are typical for reflected XSS flaws and are inferred from the nature of the vulnerability, but are not explicitly stated in the CVE record.

Affected Systems

All installations of ZoomIt WooCommerce Shop Page Builder released up to and including version 2.27.7 are affected. Any active site using one of these versions can be compromised through the identified flaw.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate to high severity. The EPSS score of less than 1% suggests a low current probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. It can be triggered remotely, most likely via a crafted URL or form input that feeds untrusted data into the shop page rendering process. The overall risk is considered moderate due to the severity score, but the small exploitation probability reduces the immediate threat level.

Generated by OpenCVE AI on May 1, 2026 at 06:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ZoomIt WooCommerce Shop Page Builder to version 2.27.8 or later to remove the input validation flaw.
  • Deploy a Content Security Policy that disallows inline script execution and restricts script sources to trusted domains, limiting damage if the flaw is exploited.
  • Audit all input fields and URL parameters handled by the plugin for unintended script content, and apply server‑side output encoding to enforce neutralization of user‑provided data.

Generated by OpenCVE AI on May 1, 2026 at 06:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24735 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZoomIt WooCommerce Shop Page Builder allows Reflected XSS. This issue affects WooCommerce Shop Page Builder: from n/a through 2.27.7.
History

Tue, 28 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZoomIt WooCommerce Shop Page Builder dzs-wootable allows Reflected XSS.This issue affects WooCommerce Shop Page Builder: from n/a through <= 2.27.7. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZoomIt WooCommerce Shop Page Builder allows Reflected XSS. This issue affects WooCommerce Shop Page Builder: from n/a through 2.27.7.
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZoomIt WooCommerce Shop Page Builder allows Reflected XSS. This issue affects WooCommerce Shop Page Builder: from n/a through 2.27.7. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZoomIt WooCommerce Shop Page Builder dzs-wootable allows Reflected XSS.This issue affects WooCommerce Shop Page Builder: from n/a through <= 2.27.7.
References

Sat, 16 Aug 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Zoomit
Zoomit woocommerce Shop Page Builder
Vendors & Products Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Zoomit
Zoomit woocommerce Shop Page Builder

Thu, 14 Aug 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 Aug 2025 10:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZoomIt WooCommerce Shop Page Builder allows Reflected XSS. This issue affects WooCommerce Shop Page Builder: from n/a through 2.27.7.
Title WordPress WooCommerce Shop Page Builder <= 2.27.7 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Woocommerce Woocommerce
Wordpress Wordpress
Zoomit Woocommerce Shop Page Builder
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:52.624Z

Reserved: 2025-03-11T08:10:52.910Z

Link: CVE-2025-28999

cve-icon Vulnrichment

Updated: 2025-08-14T19:44:45.468Z

cve-icon NVD

Status : Deferred

Published: 2025-08-14T11:15:31.990

Modified: 2026-04-28T19:30:13.190

Link: CVE-2025-28999

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T06:45:11Z

Weaknesses