Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GLS GLS Shipping for WooCommerce gls-shipping-for-woocommerce allows Reflected XSS.This issue affects GLS Shipping for WooCommerce: from n/a through <= 1.4.0.
Published: 2026-01-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (Reflected XSS)
Action: Apply Patch
AI Analysis

Impact

This vulnerability is an improper neutralization of input during web page generation in the GLS Shipping for WooCommerce plugin. The flaw allows reflected cross‑site scripting, meaning that attackers can supply malicious input that is echoed back to a user’s browser. As a result, arbitrary client‑side code can execute in the context of a legitimate visitor to the site.

Affected Systems

The affected product is GLS Shipping for WooCommerce, all versions from the earliest release up to and including version 1.4.0. Any WordPress site that has an instance of the plugin within that version range is potentially vulnerable.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity for this reflected XSS flaw. The EPSS score of <1% shows a very low probability of widespread exploitation at the time of this analysis. The vulnerability is not listed in CISA KEV. Based on the description, exploitation would likely require a victim to be presented with a crafted input or link that triggers the reflected script execution in a standard web browser.

Generated by OpenCVE AI on April 28, 2026 at 18:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update GLS Shipping for WooCommerce to a version newer than 1.4.0; an official patch is available.
  • If an update cannot be applied immediately, disable the plugin or remove the vulnerable component from the site to eliminate exposure.
  • Deploy a Web Application Firewall or configure input sanitization plugins to block reflected XSS payloads as a temporary safeguard until the official patch is applied.

Generated by OpenCVE AI on April 28, 2026 at 18:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 28 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Gls
Gls shipping For Woocommerce
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Gls
Gls shipping For Woocommerce
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GLS GLS Shipping for WooCommerce gls-shipping-for-woocommerce allows Reflected XSS.This issue affects GLS Shipping for WooCommerce: from n/a through <= 1.4.0.
Title WordPress GLS Shipping for WooCommerce plugin <= 1.4.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Gls Shipping For Woocommerce
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:54:33.956Z

Reserved: 2025-12-15T10:00:54.714Z

Link: CVE-2025-68011

cve-icon Vulnrichment

Updated: 2026-01-28T21:28:04.678Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:07.447

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-68011

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T18:15:37Z

Weaknesses