Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Wham SKU Generator for WooCommerce sku-for-woocommerce allows Reflected XSS.This issue affects SKU Generator for WooCommerce: from n/a through <= 1.6.2.
Published: 2025-04-01
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The SKU Generator for WooCommerce plugin fails to properly neutralize user input before reflecting it in an HTML response, creating a Cross‑Site Scripting (XSS) vulnerability. An attacker can embed malicious JavaScript in a crafted URL that, when visited by a user, will execute in the victim’s browser, potentially allowing cookie theft, session hijacking, or arbitrary actions on behalf of the user.

Affected Systems

WordPress sites that use the WP Wham SKU Generator for WooCommerce plugin, version 1.6.2 or earlier. The vulnerability is limited to this plugin and affects any WordPress deployment that includes it in a WooCommerce environment.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate severity, yet the EPSS score of less than 1% signals very low probability of exploitation at the time of analysis. The exploit requires an attacker to craft a malicious URL that a victim visits, so it is a remote user‑initiated attack that does not require authentication. The vulnerability is not listed in CISA KEV catalog, indicating no widespread known exploitation. However, potential impact on user privacy and site integrity makes remediation advisable.

Generated by OpenCVE AI on May 1, 2026 at 12:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SKU Generator for WooCommerce plugin to version 1.6.3 or later if available.
  • If an upgrade is not immediately possible, remove or deactivate the plugin until a patched version is released.
  • Implement a site‑wide Content Security Policy that restricts scripts to trusted sources to mitigate potential execution of injected scripts in the interim.

Generated by OpenCVE AI on May 1, 2026 at 12:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9069 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Wham SKU Generator for WooCommerce allows Reflected XSS. This issue affects SKU Generator for WooCommerce: from n/a through 1.6.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Wham SKU Generator for WooCommerce allows Reflected XSS. This issue affects SKU Generator for WooCommerce: from n/a through 1.6.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Wham SKU Generator for WooCommerce sku-for-woocommerce allows Reflected XSS.This issue affects SKU Generator for WooCommerce: from n/a through <= 1.6.2.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 01 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 05:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Wham SKU Generator for WooCommerce allows Reflected XSS. This issue affects SKU Generator for WooCommerce: from n/a through 1.6.2.
Title WordPress SKU Generator for WooCommerce plugin <= 1.6.2 - Reflected Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:00.296Z

Reserved: 2025-03-26T09:21:45.625Z

Link: CVE-2025-30917

cve-icon Vulnrichment

Updated: 2025-04-01T14:13:58.974Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T06:15:55.047

Modified: 2026-04-23T15:27:19.390

Link: CVE-2025-30917

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T12:00:15Z

Weaknesses