Description
The Product Subtitle for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘htmlTag’ parameter in all versions up to, and including, 1.3.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-05-31
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS)
Action: Apply Patch
AI Analysis

Impact

The vulnerability in the Product Subtitle for WooCommerce plugin allows an authenticated user with Contributor or higher permissions to inject arbitrary JavaScript through the ‘htmlTag’ parameter. This flaw arises from insufficient input validation and output escaping. When an attacker submits malicious input, it becomes permanently stored and executed for any site visitor who views the affected content, leading to cookie theft, session hijacking, or defacement of the site’s pages. The weakness is identified as CWE‑79, a classic client‑side injection flaw.

Affected Systems

The affected product is the WordPress plugin "Product Subtitle for WooCommerce" supplied by Spiderware, in all releases up to and including version 1.3.9. No specific WordPress core versions are listed, and the vendor’s affected‑version table is not public, so the risk applies to any site running any version of the plugin older than 1.4.0 if such a version exists.

Risk and Exploitability

The CVSS score of 6.4 indicates a medium severity for a stored XSS that requires authentication. The EPSS score of less than 1 % suggests that exploitation is currently unlikely, and the issue is not listed in the CISA KEV catalog, implying no known widespread exploitation. The attack vector is inferred to be authenticated via the plugin’s administrative interface, where a Contributor can edit subtitle fields. Successful exploitation would compromise any user that visits the page containing the injected script, providing the attacker with the ability to execute arbitrary client‑side code in the victim’s browser.

Generated by OpenCVE AI on April 20, 2026 at 22:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Product Subtitle for WooCommerce plugin to the latest version released by Spiderware, which removes the unsanitized ‘htmlTag’ acceptation.
  • If an update is not immediately available, limit or remove Contributor‑level permissions from users who do not require them, thereby restricting the ability to inject content.
  • Enable a strict Content Security Policy (CSP) on the site to block execution of inline scripts, reducing the impact of any stored XSS vectors that may remain.

Generated by OpenCVE AI on April 20, 2026 at 22:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-16543 The Product Subtitle for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘htmlTag’ parameter in all versions up to, and including, 1.3.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Mon, 02 Jun 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 31 May 2025 06:45:00 +0000

Type Values Removed Values Added
Description The Product Subtitle for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘htmlTag’ parameter in all versions up to, and including, 1.3.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Product Subtitle for WooCommerce <= 1.3.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via htmlTag Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:16:25.874Z

Reserved: 2025-05-27T18:56:11.233Z

Link: CVE-2025-5285

cve-icon Vulnrichment

Updated: 2025-06-02T15:17:59.728Z

cve-icon NVD

Status : Deferred

Published: 2025-05-31T07:15:21.643

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-5285

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T22:45:20Z

Weaknesses