Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Cost of Goods for WooCommerce cost-of-goods-for-woocommerce allows Stored XSS.This issue affects Cost of Goods for WooCommerce: from n/a through <= 3.7.0.
Published: 2025-05-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user input allows stored cross‑site scripting (XSS) in the Cost of Goods for WooCommerce plugin. Because the vulnerability is a CWE‑79 stored XSS, an attacker can inject malicious script that will run in the browser of any user who views a page displaying the affected data, potentially enabling cookie theft, session hijacking, or defacement. While the description does not state a privilege requirement, the lack of authentication details suggests that any user able to submit data to the affected fields could exploit the flaw.

Affected Systems

WPFactory’s Cost of Goods for WooCommerce plugin is vulnerable in all releases up to and including version 3.7.0. The affected product is the WordPress plugin that manages product cost information for WooCommerce stores.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.5, indicating moderate severity, and an EPSS score of less than 1%, implying a low probability of exploitation at the time of analysis. It is not listed in the CISA KEV catalog, suggesting no known large‑scale exploitation has been documented. The likely attack vector involves submitting malicious payloads through any input field that stores data, which is later rendered without proper escaping. An attacker could thus compromise user session data or alter the site’s appearance.

Generated by OpenCVE AI on April 30, 2026 at 12:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Cost of Goods for WooCommerce plugin to the latest release that removes the stored XSS flaw
  • If an update is not yet available, add a web application firewall rule that blocks or sanitizes suspicious scripts in data submissions
  • Manually scan the site for any existing stored content that may contain malicious code and cleanse or remove it

Generated by OpenCVE AI on April 30, 2026 at 12:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28160 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Cost of Goods for WooCommerce allows Stored XSS. This issue affects Cost of Goods for WooCommerce: from n/a through 3.7.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Cost of Goods for WooCommerce allows Stored XSS. This issue affects Cost of Goods for WooCommerce: from n/a through 3.7.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Cost of Goods for WooCommerce cost-of-goods-for-woocommerce allows Stored XSS.This issue affects Cost of Goods for WooCommerce: from n/a through <= 3.7.0.
Title WordPress Cost of Goods for WooCommerce <= 3.7.0 - Cross Site Scripting (XSS) Vulnerability WordPress Cost of Goods for WooCommerce plugin <= 3.7.0 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Mon, 19 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 May 2025 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Cost of Goods for WooCommerce allows Stored XSS. This issue affects Cost of Goods for WooCommerce: from n/a through 3.7.0.
Title WordPress Cost of Goods for WooCommerce <= 3.7.0 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:53.602Z

Reserved: 2025-05-19T14:12:49.259Z

Link: CVE-2025-48240

cve-icon Vulnrichment

Updated: 2025-05-19T15:10:53.274Z

cve-icon NVD

Status : Deferred

Published: 2025-05-19T15:15:26.610

Modified: 2026-04-23T15:30:56.867

Link: CVE-2025-48240

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T13:00:13Z

Weaknesses