Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP-EXPERTS.IN Sales Count Manager for WooCommerce wc-sales-count-manager allows Stored XSS.This issue affects Sales Count Manager for WooCommerce: from n/a through <= 2.6.
Published: 2025-09-22
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation that allows a stored Cross‑Site Scripting (XSS) attack in the WordPress Sales Count Manager for WooCommerce plugin. An attacker can inject malicious scripts that are then rendered in the browser of anyone who views the affected content, potentially stealing session cookies, defacing the site, or executing arbitrary client‑side actions. The primary impact is the compromise of confidentiality and integrity of sensitive user data, and depending on the attacker’s intentions, it could also lead to defacement or further exploitation of the site.

Affected Systems

Vendors: WP‑EXPERTS․IN: Sales Count Manager for WooCommerce. Affected versions are all releases from the initial release through version 2.6 inclusive.

Risk and Exploitability

The CVSS score of 5.9 places this vulnerability in the medium severity range. The EPSS score of less than 1% indicates that the probability of exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through the web interface, where an attacker must be able to submit content that the plugin stores for later display. If the plugin allows administrative users to enter data, an attacker who compromises an admin account—or convinces a legitimate admin to submit malicious data—would be able to exploit this stored XSS flaw.

Generated by OpenCVE AI on April 30, 2026 at 00:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Sales Count Manager for WooCommerce plugin to a version that removes the stored XSS flaw (any release after 2.6).
  • If an upgrade is not possible, disable or remove any features of the plugin that accept or display user‑supplied input until a patch is applied.
  • Apply a Content Security Policy that restricts inline scripts or use a web application firewall to detect and block XSS payloads.

Generated by OpenCVE AI on April 30, 2026 at 00:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30731 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP-EXPERTS.IN Sales Count Manager for WooCommerce allows Stored XSS. This issue affects Sales Count Manager for WooCommerce: from n/a through 2.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP-EXPERTS.IN Sales Count Manager for WooCommerce allows Stored XSS. This issue affects Sales Count Manager for WooCommerce: from n/a through 2.5. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP-EXPERTS.IN Sales Count Manager for WooCommerce wc-sales-count-manager allows Stored XSS.This issue affects Sales Count Manager for WooCommerce: from n/a through <= 2.6.
Title WordPress Sales Count Manager for WooCommerce Plugin <= 2.5 - Cross Site Scripting (XSS) Vulnerability WordPress Sales Count Manager for WooCommerce plugin <= 2.6 - Cross Site Scripting (XSS) vulnerability
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Tue, 23 Sep 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Wp-experts
Wp-experts sales Count Manager
Vendors & Products Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Wp-experts
Wp-experts sales Count Manager

Mon, 22 Sep 2025 18:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP-EXPERTS.IN Sales Count Manager for WooCommerce allows Stored XSS. This issue affects Sales Count Manager for WooCommerce: from n/a through 2.5.
Title WordPress Sales Count Manager for WooCommerce Plugin <= 2.5 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Woocommerce Woocommerce
Wordpress Wordpress
Wp-experts Sales Count Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:37.924Z

Reserved: 2025-08-22T11:36:00.587Z

Link: CVE-2025-57904

cve-icon Vulnrichment

Updated: 2025-09-23T15:39:59.569Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:15:46.060

Modified: 2026-04-23T15:32:59.173

Link: CVE-2025-57904

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T00:45:24Z

Weaknesses