Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mahdi Yousefi [MahdiY] افزونه حمل و نقل ووکامرس (پست پیشتاز و سفارشی، پیک موتوری) persian-woocommerce-shipping allows Stored XSS.This issue affects افزونه حمل و نقل ووکامرس (پست پیشتاز و سفارشی، پیک موتوری): from n/a through <= 4.2.3.
Published: 2025-03-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Stored Cross‑Site Scripting flaw in the Persian WooCommerce Shipping plugin by Mahdi Yousefi. Untrusted data supplied via plugin controls is rendered unsanitized in generated web pages, allowing an attacker to inject and persist malicious scripts. If an attacker successfully stores payloads, any user who later views the affected content could have their session hijacked, credentials stolen, or the site defaced. The weakness corresponds to CWE‑79.

Affected Systems

WordPress sites utilizing the Persian WooCommerce Shipping plugin from Mahdi Yousefi (listed as MahdiY) are affected when running any version up to and including 4.2.3. No other plugins or WordPress core versions are listed. Site administrators should verify the installed version and confront any instances of the plugin.

Risk and Exploitability

The CVSS score of 6.5 marks the flaw as moderate severity. The EPSS indicates a very low likelihood of exploitation (<1%). The vulnerability is not present in CISA KEV, suggesting no known widespread active exploitation. Attacks would require an attacker to insert malicious payloads through the plugin's input mechanisms, which may be accessible to administrators or potentially exposed to privileged users. Once stored, the payload can execute in the context of any visitor who views the affected content.

Generated by OpenCVE AI on May 1, 2026 at 12:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest available version of the Persian WooCommerce Shipping plugin, which includes the fix for this vulnerability.
  • If the plugin cannot be upgraded immediately, disable the feature that accepts user‑supplied data or restrict the plugin’s access to trusted administrators only.
  • Deploy a Web Application Firewall with XSS filtering enabled to block malicious input before it reaches the plugin.
  • Conduct an audit of the site to ensure no residual malicious scripts are present in the database or content, and clean or remove any detected items.

Generated by OpenCVE AI on May 1, 2026 at 12:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8311 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mahdi Yousefi [MahdiY] افزونه حمل و نقل ووکامرس (پست پیشتاز و سفارشی، پیک موتوری) allows Stored XSS. This issue affects افزونه حمل و نقل ووکامرس (پست پیشتاز و سفارشی، پیک موتوری): from n/a through 4.2.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mahdi Yousefi [MahdiY] افزونه حمل و نقل ووکامرس (پست پیشتاز و سفارشی، پیک موتوری) allows Stored XSS. This issue affects افزونه حمل و نقل ووکامرس (پست پیشتاز و سفارشی، پیک موتوری): from n/a through 4.2.3. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mahdi Yousefi [MahdiY] افزونه حمل و نقل ووکامرس (پست پیشتاز و سفارشی، پیک موتوری) persian-woocommerce-shipping allows Stored XSS.This issue affects افزونه حمل و نقل ووکامرس (پست پیشتاز و سفارشی، پیک موتوری): from n/a through <= 4.2.3.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Thu, 27 Mar 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 27 Mar 2025 11:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mahdi Yousefi [MahdiY] افزونه حمل و نقل ووکامرس (پست پیشتاز و سفارشی، پیک موتوری) allows Stored XSS. This issue affects افزونه حمل و نقل ووکامرس (پست پیشتاز و سفارشی، پیک موتوری): from n/a through 4.2.3.
Title WordPress افزونه حمل و نقل ووکامرس (پست پیشتاز و سفارشی، پیک موتوری) plugin <= 4.2.3 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:59.921Z

Reserved: 2025-03-26T09:21:31.391Z

Link: CVE-2025-30898

cve-icon Vulnrichment

Updated: 2025-03-27T19:25:41.420Z

cve-icon NVD

Status : Deferred

Published: 2025-03-27T11:15:50.920

Modified: 2026-04-23T15:27:17.290

Link: CVE-2025-30898

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T13:00:12Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')