Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPClever WPC Smart Messages for WooCommerce wpc-smart-messages allows Stored XSS.This issue affects WPC Smart Messages for WooCommerce: from n/a through <= 4.2.8.
Published: 2025-10-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw that allows an attacker to inject malicious script into the plugin’s message content. By submitting specially crafted input through the message interface, the malicious payload is saved and executed whenever any site visitor renders the message. This can lead to session hijacking, cookie theft, data tampering, or defacement of the site’s front‑end.

Affected Systems

The affected product is the WPC Smart Messages for WooCommerce plugin developed by WPClever. Versions from n/a up to and including 4.2.8 are vulnerable; the issue is not present in newer releases.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate‑to‑high severity. The EPSS score of less than 1% suggests a low probability of current exploitation, and the vulnerability is not listed in the CISA KEV catalog. It is likely that an attacker would gain access to the plugin’s backend or content creation interface and store the payload, after which any user who loads the page triggers the script. Because execution occurs during page rendering, the attack vector is web‑based and depends on the user’s web browser.

Generated by OpenCVE AI on April 29, 2026 at 20:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WPC Smart Messages for WooCommerce plugin to version 4.2.9 or later to receive the security fix.
  • Restrict message creation and editing privileges to trusted administrators and review any existing messages for malicious content.
  • If immediate upgrade is not possible, manually sanitize or remove message content that could contain user‑supplied input, and consider disabling the message feature until the fix is applied.

Generated by OpenCVE AI on April 29, 2026 at 20:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPClever WPC Smart Messages for WooCommerce wpc-smart-messages allows Stored XSS.This issue affects WPC Smart Messages for WooCommerce: from n/a through <= 4.2.4. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPClever WPC Smart Messages for WooCommerce wpc-smart-messages allows Stored XSS.This issue affects WPC Smart Messages for WooCommerce: from n/a through <= 4.2.8.
Title WordPress WPC Smart Messages for WooCommerce plugin <= 4.2.4 - Cross Site Scripting (XSS) vulnerability WordPress WPC Smart Messages for WooCommerce plugin <= 4.2.8 - Cross Site Scripting (XSS) vulnerability

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpclever
Wpclever wpc Smart Messages For Woocommerce
Vendors & Products Wordpress
Wordpress wordpress
Wpclever
Wpclever wpc Smart Messages For Woocommerce

Mon, 27 Oct 2025 02:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPClever WPC Smart Messages for WooCommerce wpc-smart-messages allows Stored XSS.This issue affects WPC Smart Messages for WooCommerce: from n/a through <= 4.2.4.
Title WordPress WPC Smart Messages for WooCommerce plugin <= 4.2.4 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
Wpclever Wpc Smart Messages For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:05.070Z

Reserved: 2025-10-24T14:24:23.977Z

Link: CVE-2025-62903

cve-icon Vulnrichment

Updated: 2025-10-27T15:18:58.147Z

cve-icon NVD

Status : Deferred

Published: 2025-10-27T02:15:49.457

Modified: 2026-04-27T18:16:28.970

Link: CVE-2025-62903

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T21:00:09Z

Weaknesses