Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in weptile Mobile App for WooCommerce mobile-app-for-woocommerce allows Stored XSS.This issue affects Mobile App for WooCommerce: from n/a through <= 0.4.61.
Published: 2025-04-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This flaw is an improper neutralization of input that allows an attacker to store malicious scripts within the Mobile App for WooCommerce plugin. The stored XSS can be executed in the browsers of any site visitor who interacts with the affected component, facilitating session hijacking, data theft, or defacement. The weakness corresponds to CWE-79 and is classified as a stored cross‑site scripting vulnerability.

Affected Systems

The vulnerability impacts the weptile Mobile App for WooCommerce plugin, affecting all released versions up to and including 0.4.61.

Risk and Exploitability

The CVSS score of 7.1 indicates a high‑severity flaw with potential compromise of confidentiality or integrity. The EPSS score is below 1 %, showing a very low but nonzero probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Because the flaw permits injection of persistent scripts via plugin input fields, a remote attacker can exploit it without needing privileged access; this inference is based on the description of stored XSS. An exploit can be achieved by submitting crafted input that the plugin stores unescaped and later renders in a web page, triggering script execution in the context of site users.

Generated by OpenCVE AI on April 30, 2026 at 22:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mobile App for WooCommerce to a version newer than 0.4.61 to eliminate the stored XSS flaw.
  • Deploy a Web Application Firewall or similar filtering to detect and block malicious scripts from being stored or served through the plugin.
  • Conduct a site‑wide scan for injected scripts and clean any instances found in the plugin’s data stores.

Generated by OpenCVE AI on April 30, 2026 at 22:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11717 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in weptile ShopApper allows Stored XSS. This issue affects ShopApper: from n/a through 0.4.39.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in weptile ShopApper allows Stored XSS. This issue affects ShopApper: from n/a through 0.4.39. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in weptile Mobile App for WooCommerce mobile-app-for-woocommerce allows Stored XSS.This issue affects Mobile App for WooCommerce: from n/a through <= 0.4.61.
Title WordPress ShopApper plugin <= 0.4.39 - Cross Site Scripting (XSS) vulnerability WordPress ShopApper plugin <= 0.4.61 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 17 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in weptile ShopApper allows Stored XSS. This issue affects ShopApper: from n/a through 0.4.39.
Title WordPress ShopApper plugin <= 0.4.39 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:11:36.967Z

Reserved: 2025-04-09T11:20:57.808Z

Link: CVE-2025-32638

cve-icon Vulnrichment

Updated: 2025-04-17T18:08:13.041Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:48.383

Modified: 2026-04-23T15:29:15.610

Link: CVE-2025-32638

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T22:15:16Z

Weaknesses