Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Swings Upsell Order Bump Offer for WooCommerce upsell-order-bump-offer-for-woocommerce allows Stored XSS.This issue affects Upsell Order Bump Offer for WooCommerce: from n/a through <= 3.0.7.
Published: 2025-09-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation, classified as a stored XSS flaw. An attacker can inject malicious scripts that are saved in the database and executed whenever the affected page is rendered. This can allow an attacker to steal session cookies, deface the site, or perform actions on behalf of legitimate users. The weakness is identified as CWE‑79.

Affected Systems

The affected product is the WP Swings Upsell Order Bump Offer for WooCommerce plugin, versions through and including 3.0.7. Users running any of these versions on their WooCommerce sites are susceptible.

Risk and Exploitability

The CVSS score is 6.5, indicating moderate severity, while the EPSS score of less than 1% suggests a very low likelihood of exploitation at present. The flaw is not listed in CISA’s KEV catalog. The likely attack vector is via a stored input field that the plugin accepts; an attacker would need to submit malicious content through that field—which may require administrative access or the ability to add content—after which any site visitor would be exposed to the injected script.

Generated by OpenCVE AI on April 30, 2026 at 00:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Upsell Order Bump Offer for WooCommerce plugin to version 3.0.8 or later
  • If an upgrade is not immediately possible, sanitize or escape all user‑supplied input stored by the plugin, and implement a Content Security Policy to mitigate XSS impact
  • Disable or remove the plugin entirely from the site until a secure version is available
  • Apply generic XSS mitigation best practices, such as setting the X-Content-Type-Options header to nosniff and using HTTP only and secure flags on cookies

Generated by OpenCVE AI on April 30, 2026 at 00:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30484 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Swings Upsell Order Bump Offer for WooCommerce allows Stored XSS. This issue affects Upsell Order Bump Offer for WooCommerce: from n/a through 3.0.7.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Swings Upsell Order Bump Offer for WooCommerce allows Stored XSS. This issue affects Upsell Order Bump Offer for WooCommerce: from n/a through 3.0.7. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Swings Upsell Order Bump Offer for WooCommerce upsell-order-bump-offer-for-woocommerce allows Stored XSS.This issue affects Upsell Order Bump Offer for WooCommerce: from n/a through <= 3.0.7.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Wp Swings
Wp Swings upsell Order Bump Offer For Woocommerce
Vendors & Products Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Wp Swings
Wp Swings upsell Order Bump Offer For Woocommerce

Mon, 22 Sep 2025 18:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Swings Upsell Order Bump Offer for WooCommerce allows Stored XSS. This issue affects Upsell Order Bump Offer for WooCommerce: from n/a through 3.0.7.
Title WordPress Upsell Order Bump Offer for WooCommerce Plugin <= 3.0.7 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Woocommerce Woocommerce
Wordpress Wordpress
Wp Swings Upsell Order Bump Offer For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:52.513Z

Reserved: 2025-09-17T18:00:53.704Z

Link: CVE-2025-59565

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:16:24.653

Modified: 2026-04-23T15:34:04.133

Link: CVE-2025-59565

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T00:30:23Z

Weaknesses