Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Additional Custom Emails & Recipients for WooCommerce custom-emails-for-woocommerce allows Stored XSS.This issue affects Additional Custom Emails & Recipients for WooCommerce: from n/a through <= 3.5.1.
Published: 2025-05-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw (CWE‑79) in the WPFactory Additional Custom Emails & Recipients for WooCommerce plugin, allowing malicious script injection into stored email templates. An attacker can exploit this to inject scripts that execute in the context of the site’s web pages or email rendering, which can compromise user sessions, deface the site, or steal data from users who view the affected pages.

Affected Systems

This flaw affects the WPFactory Additional Custom Emails & Recipients for WooCommerce plugin for WordPress, all versions up to and including 3.5.1. The product is widely used to send custom emails in WooCommerce stores.

Risk and Exploitability

The CVSS score is 6.5, indicating moderate severity. The EPSS score is less than 1 %, showing a very low probability of exploitation at present. It is not listed in the CISA KEV catalog. The likely attack vector is through the plugin’s email template editing interface, which requires authenticated access. An attacker who can add or modify an email template with malicious content can embed JavaScript that will run when the email is rendered or displayed through the WooCommerce admin UI, potentially impacting any user who opens that page.

Generated by OpenCVE AI on April 30, 2026 at 12:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to the latest version (>= 3.5.2) issued by WPFactory.
  • Clear or regenerate any custom email templates that may contain untrusted input.
  • Limit email template editing privileges to trusted administrators and, if possible, apply input sanitization to custom email fields.

Generated by OpenCVE AI on April 30, 2026 at 12:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28171 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Additional Custom Emails &amp; Recipients for WooCommerce allows Stored XSS. This issue affects Additional Custom Emails &amp; Recipients for WooCommerce: from n/a through 3.5.1.
History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Additional Custom Emails &amp; Recipients for WooCommerce custom-emails-for-woocommerce allows Stored XSS.This issue affects Additional Custom Emails &amp; Recipients for WooCommerce: from n/a through <= 3.5.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Additional Custom Emails & Recipients for WooCommerce custom-emails-for-woocommerce allows Stored XSS.This issue affects Additional Custom Emails & Recipients for WooCommerce: from n/a through <= 3.5.1.

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Additional Custom Emails &amp; Recipients for WooCommerce allows Stored XSS. This issue affects Additional Custom Emails &amp; Recipients for WooCommerce: from n/a through 3.5.1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Additional Custom Emails &amp; Recipients for WooCommerce custom-emails-for-woocommerce allows Stored XSS.This issue affects Additional Custom Emails &amp; Recipients for WooCommerce: from n/a through <= 3.5.1.
Title WordPress Additional Custom Emails & Recipients for WooCommerce <= 3.5.1 - Cross Site Scripting (XSS) Vulnerability WordPress Additional Custom Emails & Recipients for WooCommerce plugin <= 3.5.1 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Mon, 19 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 May 2025 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Additional Custom Emails &amp; Recipients for WooCommerce allows Stored XSS. This issue affects Additional Custom Emails &amp; Recipients for WooCommerce: from n/a through 3.5.1.
Title WordPress Additional Custom Emails & Recipients for WooCommerce <= 3.5.1 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:53.895Z

Reserved: 2025-05-19T14:13:09.841Z

Link: CVE-2025-48251

cve-icon Vulnrichment

Updated: 2025-05-19T15:09:52.068Z

cve-icon NVD

Status : Deferred

Published: 2025-05-19T15:15:27.890

Modified: 2026-04-28T19:32:41.020

Link: CVE-2025-48251

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T12:45:22Z

Weaknesses