Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ProWCPlugins Related Products Manager for WooCommerce related-products-manager-woocommerce allows DOM-Based XSS.This issue affects Related Products Manager for WooCommerce: from n/a through <= 1.6.2.
Published: 2025-06-20
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper handling of user-supplied data in the WordPress plugin, enabling a DOM‑based cross‑site scripting flaw. An attacker could inject malicious scripts that run in the victim’s browser, allowing cookie theft, session hijacking, or the execution of arbitrary client‑side code. This is a classic input‑validation weakness classified as CWE‑79.

Affected Systems

The affected product is ProWCPlugins Related Products Manager for WooCommerce. Versions up to and including 1.6.2 are affected; no more recent versions are listed as vulnerable, so any site using 1.6.2 or older is at risk.

Risk and Exploitability

The reported CVSS score of 6.5 indicates moderate severity. The EPSS score of less than 1% suggests exploitation opportunities are currently rare, and the vulnerability is not listed in the CISA KEV catalogue. Based on the description, the likely attack vector involves an attacker supplying crafted data to a front‑end parameter that the plugin renders without sanitisation. Successful exploitation requires an authenticated or unauthenticated user to load the affected page, and the impact is confined to the victim’s browser rather than the server. Because of the DOM‑based nature, deploying browser‑side mitigations can reduce risk.

Generated by OpenCVE AI on April 30, 2026 at 11:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Related Products Manager for WooCommerce plugin to any version newer than 1.6.2, if a patch is available.
  • If an update is not immediately available, restrict the users who can interact with the plugin’s input fields and enforce strict content‑type and CSP headers to prevent script execution.
  • Apply input validation on any user‑generated data that the plugin outputs to the page, ensuring it is properly encoded for HTML or JavaScript contexts.

Generated by OpenCVE AI on April 30, 2026 at 11:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19020 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ProWCPlugins Related Products Manager for WooCommerce allows DOM-Based XSS. This issue affects Related Products Manager for WooCommerce: from n/a through 1.6.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ProWCPlugins Related Products Manager for WooCommerce allows DOM-Based XSS. This issue affects Related Products Manager for WooCommerce: from n/a through 1.6.2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ProWCPlugins Related Products Manager for WooCommerce related-products-manager-woocommerce allows DOM-Based XSS.This issue affects Related Products Manager for WooCommerce: from n/a through <= 1.6.2.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 24 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ProWCPlugins Related Products Manager for WooCommerce allows DOM-Based XSS. This issue affects Related Products Manager for WooCommerce: from n/a through 1.6.2.
Title WordPress Related Products Manager for WooCommerce plugin <= 1.6.2 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:16.962Z

Reserved: 2025-06-11T16:08:50.967Z

Link: CVE-2025-50045

cve-icon Vulnrichment

Updated: 2025-06-24T13:37:48.334Z

cve-icon NVD

Status : Deferred

Published: 2025-06-20T15:15:30.863

Modified: 2026-04-23T15:32:02.420

Link: CVE-2025-50045

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T11:15:35Z

Weaknesses