Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nick Verwymeren Quantities and Units for WooCommerce quantities-and-units-for-woocommerce allows Stored XSS.This issue affects Quantities and Units for WooCommerce: from n/a through <= 1.0.13.
Published: 2025-09-26
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability permits stored cross‑site scripting, meaning that malicious code can be permanently embedded in a page served to any visitor. A compromised site could be used to steal session cookies, deface content, or redirect users to malicious domains. The weakness is a classic input‑validation flaw (CWE‑79).

Affected Systems

The affected product is the WordPress plugin Quantities and Units for WooCommerce, version 1.0.13 and earlier. The vendor is Nick Verwymeren. No additional version details are provided beyond the upper bound of 1.0.13.

Risk and Exploitability

The CVSS score is 6.5, indicating moderate severity, and the EPSS score is below 1%, suggesting a low probability of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an attacker to supply a malicious payload via the plugin’s input fields, which is stored and later rendered in page output without proper escaping. The primary attack vector is likely within the WordPress admin interface or any user input accepted by the plugin. Nonetheless, because the script runs in the context of site visitors, it can be leveraged to compromise user accounts and hijack sessions.

Generated by OpenCVE AI on April 30, 2026 at 00:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Quantities and Units for WooCommerce plugin to a version newer than 1.0.13.
  • If an upgrade is not immediately possible, remove or neutralize the input fields used in the plugin’s quantity/units features by disabling or deleting the plugin functionality.
  • Implement a site‑wide content security policy that restricts script execution and specifies a safe‑list of trusted domains.

Generated by OpenCVE AI on April 30, 2026 at 00:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31315 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nick Verwymeren Quantities and Units for WooCommerce allows Stored XSS. This issue affects Quantities and Units for WooCommerce: from n/a through 1.0.13.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nick Verwymeren Quantities and Units for WooCommerce allows Stored XSS. This issue affects Quantities and Units for WooCommerce: from n/a through 1.0.13. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nick Verwymeren Quantities and Units for WooCommerce quantities-and-units-for-woocommerce allows Stored XSS.This issue affects Quantities and Units for WooCommerce: from n/a through <= 1.0.13.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Mon, 29 Sep 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Sep 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Nick Verwymeren
Nick Verwymeren quantities And Units For Woocommerce
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Nick Verwymeren
Nick Verwymeren quantities And Units For Woocommerce
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Fri, 26 Sep 2025 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nick Verwymeren Quantities and Units for WooCommerce allows Stored XSS. This issue affects Quantities and Units for WooCommerce: from n/a through 1.0.13.
Title WordPress Quantities and Units for WooCommerce plugin <= 1.0.13 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Nick Verwymeren Quantities And Units For Woocommerce
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:49.646Z

Reserved: 2025-09-06T04:44:19.610Z

Link: CVE-2025-58917

cve-icon Vulnrichment

Updated: 2025-09-29T16:35:22.378Z

cve-icon NVD

Status : Deferred

Published: 2025-09-26T09:15:32.817

Modified: 2026-04-23T15:33:52.430

Link: CVE-2025-58917

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T00:30:23Z

Weaknesses