Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AA-Team Woocommerce Envato Affiliates wooenvato allows Reflected XSS.This issue affects Woocommerce Envato Affiliates: from n/a through <= 1.2.1.
Published: 2025-10-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improperly neutralized user input in the Woocommerce Envato Affiliates plugin that results in reflected cross‑site scripting. An attacker who can supply crafted input can have the malicious script executed in the browsers of any user who views the affected page, potentially allowing theft of user credentials, session hijacking, or injection of additional malicious content.

Affected Systems

The affected product is the Woocommerce Envato Affiliates plugin from AA‑Team, versions from the initial release up to and including 1.2.1. Any WordPress site running this plugin within that version range is potentially vulnerable.

Risk and Exploitability

The CVSS score of 7.1 places it in the high‑severity range, but the EPSS score is less than 1%, indicating that the likelihood of exploitation in the wild is currently low. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a web request that includes the attacker’s payload, with the exploitation requiring that the victim view a page generated by the vulnerable plugin. A successful exploitation gives the attacker the ability to execute arbitrary scripts in the context of the site’s users.

Generated by OpenCVE AI on April 29, 2026 at 16:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Woocommerce Envato Affiliates plugin to a version newer than 1.2.1
  • If an upgrade is not immediately possible, disable any plugin options that accept unsanitized user input or manually sandbox that input to prevent script execution
  • Deploy a web application firewall rule that detects and blocks reflected XSS payloads to protect users until the software can be updated

Generated by OpenCVE AI on April 29, 2026 at 16:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 23 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Aa-team
Aa-team woocommerce Envato Affiliates
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Aa-team
Aa-team woocommerce Envato Affiliates
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AA-Team Woocommerce Envato Affiliates wooenvato allows Reflected XSS.This issue affects Woocommerce Envato Affiliates: from n/a through <= 1.2.1.
Title WordPress Woocommerce Envato Affiliates plugin <= 1.2.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Aa-team Woocommerce Envato Affiliates
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:12:40.146Z

Reserved: 2025-06-27T11:58:59.925Z

Link: CVE-2025-53297

cve-icon Vulnrichment

Updated: 2025-10-23T13:57:47.640Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:48.793

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-53297

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T16:45:15Z

Weaknesses