Description
The WPC Smart Compare for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shortcode_btn' shortcode in all versions up to, and including, 6.4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-07-11
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch Now
AI Analysis

Impact

A stored cross‑site scripting vulnerability exists in the shortcode_btn shortcode of the WPC Smart Compare for WooCommerce plugin. Insufficient input sanitization and output escaping allow an attacker with authenticated contributor‑level access to inject arbitrary JavaScript that is stored and served on any page containing the shortcode. This can lead to defacement, credential theft, session hijacking, or other malicious actions performed in the context of users who visit the affected pages.

Affected Systems

All WordPress sites that have the wpclever WPC Smart Compare for WooCommerce plugin installed with a version up to and including 6.4.6 are affected. The plugin provides a "shortcode_btn" feature that is used by site administrators and contributors to add comparison buttons. Any site using these versions is therefore vulnerable.

Risk and Exploitability

The CVSS score of 6.4 indicates a medium severity level. The EPSS score of less than 1% suggests that the likelihood of real‑world exploitation is low at present. The vulnerability is not listed in the CISA KEV catalog. The attack vector requires an authenticated user with contributor or higher privileges to place or modify content containing the vulnerable shortcode, after which the malicious payload is stored in the database and served when any user views the affected page.

Generated by OpenCVE AI on April 21, 2026 at 19:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WPC Smart Compare for WooCommerce to the latest version (at least 6.4.7) to remove the vulnerable shortcode implementation.
  • If a patch cannot be applied immediately, limit the use of the shortcode_btn to administrators only or disable the shortcode altogether on publicly accessible pages.
  • Implement a content filtering or security plugin that blocks or sanitizes potentially malicious scripts before they are rendered in the browser.

Generated by OpenCVE AI on April 21, 2026 at 19:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21117 The WPC Smart Compare for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shortcode_btn' shortcode in all versions up to, and including, 6.4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Thu, 17 Jul 2025 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Wpclever
Wpclever wpc Smart Compare For Woocommerce
CPEs cpe:2.3:a:wpclever:wpc_smart_compare_for_woocommerce:*:*:*:*:*:wordpress:*:*
Vendors & Products Wpclever
Wpclever wpc Smart Compare For Woocommerce

Fri, 11 Jul 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.0003}

Fri, 11 Jul 2025 07:30:00 +0000

Type Values Removed Values Added
Description The WPC Smart Compare for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shortcode_btn' shortcode in all versions up to, and including, 6.4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title WPC Smart Compare for WooCommerce <= 6.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wpclever Wpc Smart Compare For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:47:18.811Z

Reserved: 2025-06-03T14:41:48.604Z

Link: CVE-2025-5530

cve-icon Vulnrichment

Updated: 2025-07-11T16:52:44.540Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-11T08:15:24.123

Modified: 2025-07-17T13:13:00.930

Link: CVE-2025-5530

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:00:25Z

Weaknesses