Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPSuperiors Developer WooCommerce Additional Fees On Checkout (Free) woo-additional-fees-on-checkout-wordpress allows Stored XSS.This issue affects WooCommerce Additional Fees On Checkout (Free): from n/a through <= 1.5.2.
Published: 2025-09-22
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an stored cross‑site scripting flaw caused by insufficient input sanitization in WooCommerce Additional Fees On Checkout (Free). Improper neutralization of input allows an attacker to embed persistent malicious scripts that will run whenever a page containing the affected data is rendered, potentially enabling credential theft, session hijacking, or defacement.

Affected Systems

All installations of the plugin developed by WPSuperiors Developer, specifically WooCommerce Additional Fees On Checkout (Free) version 1.5.2 or earlier, are susceptible. Updated or later releases remove the flaw.

Risk and Exploitability

With a CVSS score of 5.9 the severity is moderate; the EPSS score of less than 1 % indicates a very low probability of exploitation under current data. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the exploit likely requires access to the input fields used by the plugin during checkout or product configuration, so the attack surface is limited to sites that enable the plugin and allow malicious input.

Generated by OpenCVE AI on April 30, 2026 at 06:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WooCommerce Additional Fees On Checkout (Free) plugin to version 1.5.3 or later.
  • If an update is unavailable, disable or remove the plugin until a fix is released.
  • When the plugin must remain active, ensure all fields it stores or renders undergo proper sanitization to prevent the execution of injected scripts.

Generated by OpenCVE AI on April 30, 2026 at 06:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30719 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPSuperiors Developer WooCommerce Additional Fees On Checkout (Free) allows Stored XSS. This issue affects WooCommerce Additional Fees On Checkout (Free): from n/a through 1.5.0.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPSuperiors Developer WooCommerce Additional Fees On Checkout (Free) allows Stored XSS. This issue affects WooCommerce Additional Fees On Checkout (Free): from n/a through 1.5.0. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPSuperiors Developer WooCommerce Additional Fees On Checkout (Free) woo-additional-fees-on-checkout-wordpress allows Stored XSS.This issue affects WooCommerce Additional Fees On Checkout (Free): from n/a through <= 1.5.2.
Title WordPress WooCommerce Additional Fees On Checkout (Free) Plugin <= 1.5.0 - Cross Site Scripting (XSS) Vulnerability WordPress WooCommerce Additional Fees On Checkout (Free) plugin <= 1.5.2 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Wpsuperiors
Wpsuperiors woocommerce Additional Fees On Checkout
Vendors & Products Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Wpsuperiors
Wpsuperiors woocommerce Additional Fees On Checkout

Tue, 23 Sep 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Sep 2025 18:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPSuperiors Developer WooCommerce Additional Fees On Checkout (Free) allows Stored XSS. This issue affects WooCommerce Additional Fees On Checkout (Free): from n/a through 1.5.0.
Title WordPress WooCommerce Additional Fees On Checkout (Free) Plugin <= 1.5.0 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Woocommerce Woocommerce
Wordpress Wordpress
Wpsuperiors Woocommerce Additional Fees On Checkout
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:37.915Z

Reserved: 2025-08-22T11:35:51.303Z

Link: CVE-2025-57903

cve-icon Vulnrichment

Updated: 2025-09-23T13:47:53.717Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:15:45.890

Modified: 2026-04-23T15:32:59.047

Link: CVE-2025-57903

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T06:30:29Z

Weaknesses