Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codisto Omnichannel for WooCommerce codistoconnect allows Stored XSS.This issue affects Omnichannel for WooCommerce: from n/a through <= 1.3.65.
Published: 2026-01-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS) that permits arbitrary JavaScript injection
Action: Immediate Patch
AI Analysis

Impact

The Omnichannel for WooCommerce plugin, version 1.3.65 and earlier, contains an improper neutralization of input during web page generation. A stored XSS flaw permits an attacker to embed malicious scripts that are rendered in the browser of any user who views a page processed by the plugin.

Affected Systems

WordPress sites that have the codisto Omnichannel for WooCommerce plugin installed with a version up to and including 1.3.65. Any installation using an older or unpatched version of this plugin is susceptible.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate to high severity risk. The EPSS score of less than 1% suggests the likelihood of exploitation in the wild is currently low, and the vulnerability is not listed in the CISA KEV catalog. The most probable attack vector appears to be user‑generated content or admin input that is stored by the plugin and later rendered without proper escaping.

Generated by OpenCVE AI on April 28, 2026 at 18:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Omnichannel for WooCommerce plugin to version 1.3.66 or newer.
  • Clean or purge all content that was stored by older versions of the plugin, ensuring no malicious scripts remain.
  • Apply a content security policy limiting script sources to trusted origins to constrain the impact of any future XSS.

Generated by OpenCVE AI on April 28, 2026 at 18:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 28 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Codisto
Codisto omnichannel For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Codisto
Codisto omnichannel For Woocommerce
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codisto Omnichannel for WooCommerce codistoconnect allows Stored XSS.This issue affects Omnichannel for WooCommerce: from n/a through <= 1.3.65.
Title WordPress Omnichannel for WooCommerce plugin <= 1.3.65 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Codisto Omnichannel For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:56:21.136Z

Reserved: 2025-12-15T10:01:07.754Z

Link: CVE-2025-68041

cve-icon Vulnrichment

Updated: 2026-01-28T17:24:20.305Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:09.257

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-68041

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T18:15:37Z

Weaknesses