Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Get Bowtied Shopkeeper Extender shopkeeper-extender allows Stored XSS.This issue affects Shopkeeper Extender: from n/a through < 7.0.
Published: 2025-12-09
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user input during web page generation allows stored cross‑site scripting in the Get Bowtied Shopkeeper Extender plugin. The flaw lets an attacker embed malicious script code that is rendered in browsers for all visitors, potentially compromising credentials, enabling session hijacking, or defacing content. This is a classic input‑validation weakness classified as CWE‑79 and affects the confidentiality and integrity of site users.

Affected Systems

WordPress sites running the Shopkeeper Extender plugin version below 7.0 are vulnerable. All releases from the first available version up through the last minor release before 7.0 are affected. Site administrators should identify any installation of the plugin that has not yet been upgraded.

Risk and Exploitability

With a CVSS score of 6.5 the vulnerability carries a moderate severity, but the EPSS score is below 1 % and it is not listed in the CISA KEV catalogue, indicating a low current exploitation probability. The stored nature of the XSS means that any user who visits a page that includes plugin‑generated content will be exposed to the injected script. An attacker would need to inject malicious content into a writable field that the plugin persists, such as a custom option or widget. Once stored, the script runs in the context of all visitors, making the attack vector a web‑application one. Although exploitation likelihood is low, the potential impact warrants proactive remediation.

Generated by OpenCVE AI on April 29, 2026 at 11:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Shopkeeper Extender plugin version 7.0 or later.
  • If immediate upgrade is not possible, temporarily deactivate the plugin until the fix is available to prevent stored XSS execution.
  • Review and remove any previously stored malicious inputs or plugin‑generated content that might contain injected scripts, or use a sanitization routine to cleanse the plugin’s options or database entries.

Generated by OpenCVE AI on April 29, 2026 at 11:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 09 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Dec 2025 14:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Get Bowtied Shopkeeper Extender shopkeeper-extender allows Stored XSS.This issue affects Shopkeeper Extender: from n/a through < 7.0.
Title WordPress Shopkeeper Extender plugin < 7.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:19:03.930Z

Reserved: 2025-12-09T12:21:12.170Z

Link: CVE-2025-67544

cve-icon Vulnrichment

Updated: 2025-12-09T19:47:03.935Z

cve-icon NVD

Status : Deferred

Published: 2025-12-09T16:18:30.047

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-67544

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T11:45:10Z

Weaknesses