Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cscode WooCommerce Estimate and Quote wc-estimate-and-quote allows Reflected XSS.This issue affects WooCommerce Estimate and Quote: from n/a through <= 1.0.2.5.
Published: 2025-04-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WooCommerce Estimate and Quote plugin from cscode suffers from improper neutralization of user input during web page generation, a classic Cross‑Site Scripting weakness (CWE‑79). This flaw allows reflected XSS: an attacker can inject scripts that will execute in a victim’s browser when a crafted URL or form input is processed by the plugin, potentially leading to data theft, session hijacking, or defacement. The impact is limited to the victim’s session and browser but can enable credential theft and lateral movement if the user is an administrator.

Affected Systems

The vulnerability affects the WooCommerce Estimate and Quote plugin for WordPress, any installation using versions from unspecified previous releases through and including 1.0.2.5. No other vendors or versions are listed as affected.

Risk and Exploitability

The CVSS score is 7.1, indicating moderate severity, while the EPSS score is below 1%, showing a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require the attacker to entice a victim to visit a crafted URL or submit a malicious input that the plugin reflects without sanitization. Though the risk is medium, the low exploitation likelihood does not preclude the need for timely remediation.

Generated by OpenCVE AI on April 30, 2026 at 21:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WooCommerce Estimate and Quote plugin to the latest version (1.0.2.6 or newer).
  • If an update cannot be applied immediately, disable the plugin or restrict its activation to trusted users only.
  • Implement an additional input sanitization filter on the plugin’s output or deploy a web application firewall rule to block reflected XSS payloads.

Generated by OpenCVE AI on April 30, 2026 at 21:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11657 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cscode WooCommerce Estimate and Quote allows Reflected XSS. This issue affects WooCommerce Estimate and Quote: from n/a through 1.0.2.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cscode WooCommerce Estimate and Quote allows Reflected XSS. This issue affects WooCommerce Estimate and Quote: from n/a through 1.0.2.5. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cscode WooCommerce Estimate and Quote wc-estimate-and-quote allows Reflected XSS.This issue affects WooCommerce Estimate and Quote: from n/a through <= 1.0.2.5.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 18 Apr 2025 08:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cscode WooCommerce Estimate and Quote allows Reflected XSS. This issue affects WooCommerce Estimate and Quote: from n/a through 1.0.2.5.
Title WordPress WooCommerce Estimate and Quote plugin <= 1.0.2.5 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:23.187Z

Reserved: 2025-04-09T11:19:28.417Z

Link: CVE-2025-32514

cve-icon Vulnrichment

Updated: 2025-04-17T18:05:32.320Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:40.543

Modified: 2026-04-23T15:29:01.357

Link: CVE-2025-32514

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T21:45:26Z

Weaknesses