Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in everythingwp Risk Free Cash On Delivery (COD) – WooCommerce risk-free-cash-on-delivery-cod-woocommerce allows Stored XSS.This issue affects Risk Free Cash On Delivery (COD) – WooCommerce: from n/a through <= 1.0.4.
Published: 2025-08-28
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation that allows stored cross‑site scripting in the Risk Free Cash On Delivery (COD) – WooCommerce plugin. An attacker can inject arbitrary JavaScript that executes whenever the stored data is rendered, potentially enabling cookie theft, session hijacking or malicious manipulation of page content. This flaw is a classic stored XSS (CWE‑79) and does not provide direct server‑side code execution.

Affected Systems

All releases of everythingwp Risk Free Cash On Delivery (COD) – WooCommerce up through version 1.0.4 are affected. Any WordPress installation that has this plugin installed and is running a version 1.0.4 or earlier is vulnerable. Versions newer than 1.0.4 are not impacted according to the vendor’s statement.

Risk and Exploitability

The CVSS score of 5.9 places this vulnerability in the medium severity range. The EPSS score of <1% indicates that exploitation is currently rare in the wild. The CVE does not disclose the exact attack vector, but it is inferred that the attacker would supply a malicious payload via the plugin’s input fields, such as transaction notes, which the plugin stores and displays. Because this likely requires authentication with permission to write to those fields, the attack vector is inferred to be local through the website’s own interface; no elevated privileges beyond normal authenticated use are needed. The vulnerability is not listed in CISA’s KEV catalog.

Generated by OpenCVE AI on April 30, 2026 at 15:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Risk Free Cash On Delivery (COD) – WooCommerce plugin to any version newer than 1.0.4; if no update is available, uninstall the plugin to eliminate the vulnerability.
  • If removal is not feasible, restrict or disable the fields that accept user‑supplied data, such as transaction notes or comments, limiting write access to administrators only.
  • Deploy a Web Application Firewall or use trusted WordPress security plugins to block common XSS payloads and monitor for injected scripts.

Generated by OpenCVE AI on April 30, 2026 at 15:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26021 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in everythingwp Risk Free Cash On Delivery (COD) &#8211; WooCommerce allows Stored XSS. This issue affects Risk Free Cash On Delivery (COD) &#8211; WooCommerce: from n/a through 1.0.4.
History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in everythingwp Risk Free Cash On Delivery (COD) &#8211; WooCommerce risk-free-cash-on-delivery-cod-woocommerce allows Stored XSS.This issue affects Risk Free Cash On Delivery (COD) &#8211; WooCommerce: from n/a through <= 1.0.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in everythingwp Risk Free Cash On Delivery (COD) – WooCommerce risk-free-cash-on-delivery-cod-woocommerce allows Stored XSS.This issue affects Risk Free Cash On Delivery (COD) – WooCommerce: from n/a through <= 1.0.4.

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in everythingwp Risk Free Cash On Delivery (COD) &#8211; WooCommerce allows Stored XSS. This issue affects Risk Free Cash On Delivery (COD) &#8211; WooCommerce: from n/a through 1.0.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in everythingwp Risk Free Cash On Delivery (COD) &#8211; WooCommerce risk-free-cash-on-delivery-cod-woocommerce allows Stored XSS.This issue affects Risk Free Cash On Delivery (COD) &#8211; WooCommerce: from n/a through <= 1.0.4.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Thu, 28 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in everythingwp Risk Free Cash On Delivery (COD) &#8211; WooCommerce allows Stored XSS. This issue affects Risk Free Cash On Delivery (COD) &#8211; WooCommerce: from n/a through 1.0.4.
Title WordPress Risk Free Cash On Delivery (COD) – WooCommerce plugin <= 1.0.4 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:57.357Z

Reserved: 2025-05-19T14:41:42.787Z

Link: CVE-2025-48358

cve-icon Vulnrichment

Updated: 2025-08-28T13:32:35.243Z

cve-icon NVD

Status : Deferred

Published: 2025-08-28T13:15:56.030

Modified: 2026-04-28T19:32:47.297

Link: CVE-2025-48358

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T15:45:40Z

Weaknesses