Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Free Shipping Bar: Amount Left for Free Shipping for WooCommerce amount-left-free-shipping-woocommerce allows Stored XSS.This issue affects Free Shipping Bar: Amount Left for Free Shipping for WooCommerce: from n/a through <= 2.4.6.
Published: 2025-05-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a stored cross-site scripting flaw wherein user-provided input used by the WPFactory Free Shipping Bar plugin is rendered without proper neutralization. An attacker can insert malicious scripts that are persisted and later executed in the browsers of site visitors, potentially compromising session cookies, defacing content, or exfiltrating data. The weakness is classified as CWE-79.

Affected Systems

The weakness affects the WPFactory Free Shipping Bar plugin for WordPress, specifically all releases from the initial version through and including 2.4.6. Site administrators using these versions are at risk when they allow any form of input that feeds the plugin’s display mechanism.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. The EPSS < 1% shows a very low but nonzero probability of exploitation in the wild, and the vulnerability is not in CISA’s KEV catalog. Attackers would most likely target sites by gaining access to the WordPress administration panel to inject malicious payloads via the plugin’s settings or content fields; the stored nature of the flaw means the malicious code persists until it is removed or the plugin is updated.

Generated by OpenCVE AI on April 30, 2026 at 12:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WPFactory Free Shipping Bar plugin to version 2.4.7 or later, which contains the necessary input sanitization fixes.
  • If an upgrade is not immediately feasible, deactivate or uninstall the plugin to eliminate the attack surface until a patch is available.
  • While using a temporary workaround, ensure that any data fed into the plugin is properly encoded or escaped on output to prevent execution of injected scripts.

Generated by OpenCVE AI on April 30, 2026 at 12:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28173 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Free Shipping Bar: Amount Left for Free Shipping for WooCommerce allows Stored XSS. This issue affects Free Shipping Bar: Amount Left for Free Shipping for WooCommerce: from n/a through 2.4.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Free Shipping Bar: Amount Left for Free Shipping for WooCommerce allows Stored XSS. This issue affects Free Shipping Bar: Amount Left for Free Shipping for WooCommerce: from n/a through 2.4.6. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Free Shipping Bar: Amount Left for Free Shipping for WooCommerce amount-left-free-shipping-woocommerce allows Stored XSS.This issue affects Free Shipping Bar: Amount Left for Free Shipping for WooCommerce: from n/a through <= 2.4.6.
Title WordPress Free Shipping Bar: Amount Left for Free Shipping for WooCommerce <= 2.4.6 - Cross Site Scripting (XSS) Vulnerability WordPress Free Shipping Bar: Amount Left for Free Shipping for WooCommerce plugin <= 2.4.6 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Thu, 17 Jul 2025 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Wpfactory free Shipping Bar
CPEs cpe:2.3:a:wpfactory:free_shipping_for_woocommerce:*:*:*:*:*:wordpress:*:* cpe:2.3:a:wpfactory:free_shipping_bar:*:*:*:*:*:wordpress:*:*
Vendors & Products Wpfactory free Shipping For Woocommerce
Wpfactory free Shipping Bar

Thu, 29 May 2025 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Wpfactory
Wpfactory free Shipping For Woocommerce
CPEs cpe:2.3:a:wpfactory:free_shipping_for_woocommerce:*:*:*:*:*:wordpress:*:*
Vendors & Products Wpfactory
Wpfactory free Shipping For Woocommerce

Mon, 19 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 May 2025 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Free Shipping Bar: Amount Left for Free Shipping for WooCommerce allows Stored XSS. This issue affects Free Shipping Bar: Amount Left for Free Shipping for WooCommerce: from n/a through 2.4.6.
Title WordPress Free Shipping Bar: Amount Left for Free Shipping for WooCommerce <= 2.4.6 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wpfactory Free Shipping Bar
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:54.225Z

Reserved: 2025-05-19T14:13:09.841Z

Link: CVE-2025-48253

cve-icon Vulnrichment

Updated: 2025-05-19T15:09:36.882Z

cve-icon NVD

Status : Modified

Published: 2025-05-19T15:15:28.163

Modified: 2026-04-23T15:30:58.317

Link: CVE-2025-48253

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T12:45:22Z

Weaknesses