Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Change Add to Cart Button Text for WooCommerce add-to-cart-button-labels-for-woocommerce allows Stored XSS.This issue affects Change Add to Cart Button Text for WooCommerce: from n/a through <= 2.2.2.
Published: 2025-05-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of input in the WPFactory Change Add to Cart Button Text for WooCommerce plugin allows stored script injection. Users who view any page containing the customized cart button may unknowingly execute attacker‑supplied JavaScript, enabling cookie theft, session hijacking, or other malicious client‑side actions. The weakness stems from a classic input validation flaw (CWE‑79).

Affected Systems

The vulnerability affects the WPFactory Change Add to Cart Button Text for WooCommerce plugin in versions 2.2.2 and earlier. Site administrators using these releases are susceptible, regardless of the underlying platform or operating system.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate baseline risk, while the EPSS score of less than 1% suggests that large‑scale exploitation is unlikely at present. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the attacker likely injects malicious code through the plugin’s label field during administration; if an attacker can access the settings page, the stored input poses a direct risk to all site visitors. Organizations should treat this as a reasonable threat that warrants corrective action even if active exploitation is presently rare.

Generated by OpenCVE AI on April 30, 2026 at 12:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the plugin to version 2.2.3 or later to install the vendor’s input‑sanitization fix.
  • Configure user roles so that only administrators can edit the cart button label field, minimizing the window for an attacker to inject code.
  • Implement a web‑application firewall rule to block unexpected script tags in the cart button text and enable generic XSS protection headers on the site.

Generated by OpenCVE AI on April 30, 2026 at 12:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28174 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Change Add to Cart Button Text for WooCommerce allows Stored XSS. This issue affects Change Add to Cart Button Text for WooCommerce: from n/a through 2.2.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Change Add to Cart Button Text for WooCommerce allows Stored XSS. This issue affects Change Add to Cart Button Text for WooCommerce: from n/a through 2.2.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Change Add to Cart Button Text for WooCommerce add-to-cart-button-labels-for-woocommerce allows Stored XSS.This issue affects Change Add to Cart Button Text for WooCommerce: from n/a through <= 2.2.2.
Title WordPress Change Add to Cart Button Text for WooCommerce <= 2.2.2 - Cross Site Scripting (XSS) Vulnerability WordPress Change Add to Cart Button Text for WooCommerce plugin <= 2.2.2 - Cross Site Scripting (XSS) Vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Thu, 29 May 2025 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Wpfactory
Wpfactory change Add To Cart Button Text For Woocommerce
CPEs cpe:2.3:a:wpfactory:change_add_to_cart_button_text_for_woocommerce:*:*:*:*:*:wordpress:*:*
Vendors & Products Wpfactory
Wpfactory change Add To Cart Button Text For Woocommerce

Mon, 19 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 May 2025 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Change Add to Cart Button Text for WooCommerce allows Stored XSS. This issue affects Change Add to Cart Button Text for WooCommerce: from n/a through 2.2.2.
Title WordPress Change Add to Cart Button Text for WooCommerce <= 2.2.2 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wpfactory Change Add To Cart Button Text For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:54.327Z

Reserved: 2025-05-19T14:13:09.841Z

Link: CVE-2025-48254

cve-icon Vulnrichment

Updated: 2025-05-19T15:09:31.170Z

cve-icon NVD

Status : Modified

Published: 2025-05-19T15:15:28.303

Modified: 2026-04-23T15:30:58.440

Link: CVE-2025-48254

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T12:45:22Z

Weaknesses