Description
The WooCommerce plugin for WordPress is vulnerable to PostMessage-Based Cross-Site Scripting via the 'customize-store' page in all versions up to, and including, 9.4.2 due to insufficient input sanitization and output escaping on PostMessage data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Published: 2025-05-22
Score: 6.1 Medium
EPSS: 1.6% Low
KEV: No
Impact: Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The WooCommerce plugin for WordPress contains a deficiency in how it handles data sent via the PostMessage API on the ‘customize‑store’ page. This oversight creates a scenario where an attacker can embed arbitrary JavaScript code that will execute when a victim interacts with the page, such as by clicking a crafted link. The flaw permits the injection of malicious scripts without needing any special authentication, thereby enabling attacks that could compromise user sessions, steal credentials, or deface content. The weakness aligns with the input validation and output escaping failure classified by CWE‑79.

Affected Systems

The vulnerability affects installations of the WooCommerce plugin from Automattic for all versions up to and including 9.4.2. Users running the older free WordPress version or any derivative that embeds the same plugin are also at risk until they upgrade to a patched release. No specific operating system or server configuration is required beyond the presence of the affected plugin.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate severity. An EPSS score of 2% suggests that while exploitation is possible, it is not widely observed or expected to occur at high frequency. The vulnerability is not yet listed in the CISA KEV catalog, so it has not been reported as a known exploited vulnerability. Attackers can exploit the flaw by persuading a legitimate user to visit a page with malicious PostMessage data, which is then executed client‑side. The required conditions are minimal: an accessible WooCommerce ‘customize‑store’ page and a user’s browser that processes postmessages.

Generated by OpenCVE AI on April 20, 2026 at 22:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WooCommerce plugin to version 9.4.3 or newer, which removes the unsafe handling of PostMessage data.
  • If an upgrade cannot be performed immediately, implement server‑side sanitization or a content security policy that blocks inline scripts executed via PostMessage on the concerned page.
  • Deploy a web application firewall rule to detect and block suspicious PostMessage payloads containing potential script fragments before they reach the browser.

Generated by OpenCVE AI on April 20, 2026 at 22:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-16105 The WooCommerce plugin for WordPress is vulnerable to PostMessage-Based Cross-Site Scripting via the 'customize-store' page in all versions up to, and including, 9.4.2 due to insufficient input sanitization and output escaping on PostMessage data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
History

Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00137}

 epss

{'score': 0.00184}

Fri, 11 Jul 2025 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Woocommerce
Woocommerce woocommerce
CPEs cpe:2.3:a:woocommerce:woocommerce:*:*:*:*:free:wordpress:*:*
Vendors & Products Woocommerce
Woocommerce woocommerce

Thu, 22 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 22 May 2025 04:00:00 +0000

Type Values Removed Values Added
Description The WooCommerce plugin for WordPress is vulnerable to PostMessage-Based Cross-Site Scripting via the 'customize-store' page in all versions up to, and including, 9.4.2 due to insufficient input sanitization and output escaping on PostMessage data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title WooCommerce <= 9.4.2 - PostMessage-Based Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Woocommerce Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:23:41.731Z

Reserved: 2025-05-21T15:37:31.623Z

Link: CVE-2025-5062

cve-icon Vulnrichment

Updated: 2025-05-22T13:31:36.176Z

cve-icon NVD

Status : Analyzed

Published: 2025-05-22T04:16:22.913

Modified: 2025-09-30T16:35:18.210

Link: CVE-2025-5062

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T23:00:14Z

Weaknesses