WPFactory EAN for WooCommerce contains an improper neutralization of input during web page generation vulnerability that enables an attacker to inject malicious scripts into stored content. The weakness is a Classic Stored XSS flaw (CWE‑79). When triggered, an attacker can execute arbitrary JavaScript in the context of any user who views the compromised page, potentially facilitating credential theft, defacement, or session hijacking. The impact is primarily loss of confidentiality and integrity of site data, and possible denial of service if the script disrupts page rendering.

The vulnerability afflicts the EAN for WooCommerce plugin by WPFactory, affecting all releases through version 5.4.6. Any WordPress site that has this plugin installed prior to 5.4.7 may be vulnerable.

The CVSS score of 6.5 indicates a medium severity. The EPSS score of less than 1 % suggests a low likelihood of exploitation at present, and the CVE is not listed in the CISA KEV catalog. The most probable attack vector is via the plugin’s input handling for stored data—an attacker with access to create or modify content within the shop can embed malicious script that later loads when any visitor views the product. Immediate mitigation is advised despite the low exploitation probability because a successful XSS can compromise user sessions and site integrity.