Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mojofywp Product Carousel For WooCommerce – WoorouSell woorousell allows Stored XSS.This issue affects Product Carousel For WooCommerce – WoorouSell: from n/a through <= 1.1.0.
Published: 2025-05-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw caused by improper sanitization of user input in the Product Carousel For WooCommerce – WoorouSell plugin. An attacker who can insert data into a stored field could cause arbitrary JavaScript to execute in the browsers of any users who view the affected page, potentially leading to session hijacking, data theft, or defacement. This weakness is classified as CWE‑79.

Affected Systems

The plugin Product Carousel For WooCommerce – WoorouSell from vendor mojofywp is affected. All releases from n/a through version 1.1.0 are vulnerable, including the 1.1.0 release.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1 % suggests the probability of exploitation is low, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector involves submitting malicious content through the plugin’s administrative or configuration interface, which then gets rendered to visitors without proper escaping. An attacker does not need elevated privileges beyond control of a form that the plugin processes.

Generated by OpenCVE AI on April 30, 2026 at 20:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WoorouSell plugin to the latest stable release where the XSS flaw has been corrected.
  • Disable or remove the plugin if an update is not possible until the vulnerability is mitigated.
  • Inspect the site for other plugins that process stored user input without proper escaping and apply available patches.

Generated by OpenCVE AI on April 30, 2026 at 20:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15478 Missing Authorization vulnerability in QuanticaLabs CSS3 Tooltips for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CSS3 Tooltips for WordPress: from n/a through 1.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in QuanticaLabs CSS3 Tooltips for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CSS3 Tooltips for WordPress: from n/a through 1.8. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mojofywp Product Carousel For WooCommerce – WoorouSell woorousell allows Stored XSS.This issue affects Product Carousel For WooCommerce – WoorouSell: from n/a through <= 1.1.0.
Title WordPress CSS3 Tooltips for WordPress <= 1.8 - Broken Access Control Vulnerability WordPress Product Carousel For WooCommerce – WoorouSell plugin <= 1.1.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-862 CWE-79
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Fri, 16 May 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 May 2025 16:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in QuanticaLabs CSS3 Tooltips for WordPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CSS3 Tooltips for WordPress: from n/a through 1.8.
Title WordPress CSS3 Tooltips for WordPress <= 1.8 - Broken Access Control Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:18.266Z

Reserved: 2025-04-04T10:01:12.079Z

Link: CVE-2025-32180

cve-icon Vulnrichment

Updated: 2025-05-16T16:18:49.731Z

cve-icon NVD

Status : Deferred

Published: 2025-05-16T16:15:38.603

Modified: 2026-04-23T15:28:42.500

Link: CVE-2025-32180

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T20:15:16Z

Weaknesses