Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in primersoftware Primer MyData for Woocommerce primer-mydata allows Reflected XSS.This issue affects Primer MyData for Woocommerce: from n/a through < 4.2.4.
Published: 2025-04-01
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input that allows an attacker to inject malicious script into a reflected response. A victim who visits a crafted URL can have arbitrary client‑side code executed in their browser, leading to session hijacking, cookie theft, or defacement. The weakness is a classic reflected XSS (CWE‑79) and can affect any user able to complete the request.

Affected Systems

The flaw exists in Primer MyData for WooCommerce plugin versions earlier than 4.2.4. Any WordPress site that has the plugin installed and running one of those versions is susceptible. The plugin developer is primersoftware and distributors should contact them for an update.

Risk and Exploitability

The CVSS base score of 7.1 classifies the issue as high severity. The EPSS score is under 1%, indicating a low but non‑zero exploitation probability, and the vulnerability is not yet listed in CISA KEV. Attackers can trigger the flaw by sending a malicious link to an unsuspecting user; once the victim clicks, the script is executed. The lack of server‑side validation or output sanitization is the fundamental failure.

Generated by OpenCVE AI on May 1, 2026 at 02:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official update to Primer MyData for WooCommerce version 4.2.4 or later.
  • If an update is not feasible immediately, disable or uninstall the plugin to eliminate the attack surface and consider removing any reflected inputs that can be manipulated by users.
  • Implement or tighten the site’s content‑security‑policy headers to block inline scripts, thereby mitigating the impact of any remaining reflected XSS vectors.

Generated by OpenCVE AI on May 1, 2026 at 02:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9082 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in primersoftware Primer MyData for Woocommerce allows Reflected XSS. This issue affects Primer MyData for Woocommerce: from n/a through n/a.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in primersoftware Primer MyData for Woocommerce allows Reflected XSS. This issue affects Primer MyData for Woocommerce: from n/a through n/a. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in primersoftware Primer MyData for Woocommerce primer-mydata allows Reflected XSS.This issue affects Primer MyData for Woocommerce: from n/a through < 4.2.4.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 01 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 05:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in primersoftware Primer MyData for Woocommerce allows Reflected XSS. This issue affects Primer MyData for Woocommerce: from n/a through n/a.
Title WordPress Primer MyData for Woocommerce plugin < 4.2.4 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:00.780Z

Reserved: 2025-03-26T09:21:51.871Z

Link: CVE-2025-30924

cve-icon Vulnrichment

Updated: 2025-04-01T13:46:16.257Z

cve-icon NVD

Status : Deferred

Published: 2025-04-01T06:15:55.210

Modified: 2026-04-23T15:27:20.190

Link: CVE-2025-30924

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T02:45:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')