Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Coupons & Add to Cart by URL Links for WooCommerce url-coupons-for-woocommerce-by-algoritmika allows Stored XSS.This issue affects Coupons & Add to Cart by URL Links for WooCommerce: from n/a through <= 1.7.7.
Published: 2025-05-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw caused by improper neutralization of user input during page generation. An attacker can inject malicious scripts into coupon or add‑to‑cart links, which are then displayed to any visitor of the affected WordPress site. This can lead to credential theft, session hijacking, defacement or delivery of further malware, affecting the confidentiality, integrity and availability of the site and its users.

Affected Systems

WPFactory Coupons & Add to Cart by URL Links for WooCommerce on WordPress sites, all released versions up to and including 1.7.7 are vulnerable. No version is listed as a fix, indicating that all current builds carry the flaw.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation at the moment. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through the plugin’s URL link interface, where a malicious user creates or modifies a coupon link with embedded script code. Successful exploitation would give an attacker the same permissions as the site visitor that loads the page.

Generated by OpenCVE AI on April 30, 2026 at 12:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to the latest stable release that fixes the stored XSS flaw.
  • If an upgrade cannot be performed immediately, disable the plugin or remove all URL coupon links to block injection paths.
  • Perform a site‑wide scan for unexpected JavaScript injections and delete any malicious code that has already been stored.

Generated by OpenCVE AI on April 30, 2026 at 12:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28170 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Coupons &amp; Add to Cart by URL Links for WooCommerce allows Stored XSS. This issue affects Coupons &amp; Add to Cart by URL Links for WooCommerce: from n/a through 1.7.7.
History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Coupons &amp; Add to Cart by URL Links for WooCommerce url-coupons-for-woocommerce-by-algoritmika allows Stored XSS.This issue affects Coupons &amp; Add to Cart by URL Links for WooCommerce: from n/a through <= 1.7.7. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Coupons & Add to Cart by URL Links for WooCommerce url-coupons-for-woocommerce-by-algoritmika allows Stored XSS.This issue affects Coupons & Add to Cart by URL Links for WooCommerce: from n/a through <= 1.7.7.

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Coupons &amp; Add to Cart by URL Links for WooCommerce allows Stored XSS. This issue affects Coupons &amp; Add to Cart by URL Links for WooCommerce: from n/a through 1.7.7. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Coupons &amp; Add to Cart by URL Links for WooCommerce url-coupons-for-woocommerce-by-algoritmika allows Stored XSS.This issue affects Coupons &amp; Add to Cart by URL Links for WooCommerce: from n/a through <= 1.7.7.
Title WordPress Coupons & Add to Cart by URL Links for WooCommerce <= 1.7.7 - Cross Site Scripting (XSS) Vulnerability WordPress Coupons & Add to Cart by URL Links for WooCommerce plugin <= 1.7.7 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Mon, 19 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 May 2025 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Coupons &amp; Add to Cart by URL Links for WooCommerce allows Stored XSS. This issue affects Coupons &amp; Add to Cart by URL Links for WooCommerce: from n/a through 1.7.7.
Title WordPress Coupons & Add to Cart by URL Links for WooCommerce <= 1.7.7 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:54.315Z

Reserved: 2025-05-19T14:13:02.791Z

Link: CVE-2025-48250

cve-icon Vulnrichment

Updated: 2025-05-19T15:09:57.246Z

cve-icon NVD

Status : Deferred

Published: 2025-05-19T15:15:27.733

Modified: 2026-04-28T19:32:40.917

Link: CVE-2025-48250

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T13:00:13Z

Weaknesses