CVE-2025-49042 - Vulnerability Details

- WordPress WooCommerce plugin <= 10.0.2 - Cross Site Scripting (XSS) vulnerability

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce woocommerce allows Stored XSS.This issue affects WooCommerce: from n/a through <= 10.0.2.

Published: 2025-10-29

Score: 5.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an improper neutralization of user input, allowing an attacker to embed malicious scripts that are stored and later rendered by the WooCommerce plugin. An attacker can craft payloads that persist in the shop’s database and execute when customers view affected pages, leading to session hijacking, credential theft, or defacement. The weakness is classified as CWE‑79, a common insecure input handling flaw.

Affected Systems

Automattic’s WooCommerce plugin versions through 10.0.2 are vulnerable. All installations using any release <=10.0.2, regardless of site configuration, are susceptible until a patched version is applied.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity, and the EPSS score of less than 1% reflects a very low projected exploitation probability at present. The vulnerability is not listed in the CISA KEV catalog, suggesting it is not actively exploited in the wild. The likely attack vector is user‑generated content—product titles, descriptions, or custom fields—that an attacker can manipulate to inject script payloads which are then stored and served to other users.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Automattic

WooCommerce

unaffected

Version	Status	Constraints
`0`	affected	≤ 10.0.2

No data.

Vendor	Product	Confidence	Versions
Automattic	Woocommerce	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade WooCommerce to the latest version that includes the XSS fix.
Use a web application firewall or security plugin to block or sanitize script tags on all user‑submitted fields when the patch cannot be applied immediately.
Implement server‑side output escaping for any custom product metadata to ensure that no HTML or JavaScript is rendered in the browser.

Generated by OpenCVE AI on May 1, 2026 at 06:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00027.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/woocommerce/vulnerability/wordpress-woocommerce-plugin-10-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce woocommerce allows Stored XSS.This issue affects WooCommerce: from n/a through 10.0.2.	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce woocommerce allows Stored XSS.This issue affects WooCommerce: from n/a through <= 10.0.2.
CPEs	cpe:2.3:a:automattic:woocommerce::::::::
References	https://patchstack.com/database/wordpress/plugin/woocommerce/security-policy/vdp/vulnerability/wordpress-woocommerce-plugin-10-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Plugin/woocommerce/vulnerability/wordpress-woocommerce-plugin-10-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}`

Tue, 20 Jan 2026 15:30:00 +0000

Type	Values Removed	Values Added
References	https://vdp.patchstack.com/database/wordpress/plugin/woocommerce/security-policy/vdp/vulnerability/wordpress-woocommerce-plugin-10-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve

Tue, 20 Jan 2026 14:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:automattic:woocommerce::::::::
References		https://patchstack.com/database/wordpress/plugin/woocommerce/security-policy/vdp/vulnerability/wordpress-woocommerce-plugin-10-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve

Wed, 29 Oct 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 29 Oct 2025 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Automattic Automattic woocommerce Wordpress Wordpress wordpress
Vendors & Products		Automattic Automattic woocommerce Wordpress Wordpress wordpress

Wed, 29 Oct 2025 05:00:00 +0000

Type	Values Removed	Values Added
Description		Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce woocommerce allows Stored XSS.This issue affects WooCommerce: from n/a through 10.0.2.
Title		WordPress WooCommerce plugin <= 10.0.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses		CWE-79
References		https://vdp.patchstack.com/database/wordpress/plugin/woocommerce/security-policy/vdp/vulnerability/wordpress-woocommerce-plugin-10-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}`

Subscriptions

Automattic Woocommerce

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-10-29T04:50:12.507Z

Updated: 2026-04-28T16:12:58.197Z

Reserved: 2025-05-30T14:04:26.750Z

Link: CVE-2025-49042

Vulnrichment

Updated: 2025-10-29T13:31:14.856Z

NVD

Status : Deferred

Published: 2025-10-29T05:15:37.080

Modified: 2026-04-23T15:31:13.170

Link: CVE-2025-49042

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-01T06:15:10Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object