Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Wishlist for WooCommerce wish-list-for-woocommerce allows Stored XSS.This issue affects Wishlist for WooCommerce: from n/a through <= 3.3.0.
Published: 2026-01-06
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The issue is an improper neutralization of input during web page generation that allows a stored cross‑site scripting (XSS) flaw to be exploited. Any malicious script injected through the plugin’s input handling can subsequently run in the browsers of visitors to the affected site, potentially leading to session hijacking, defacement, or data theft.

Affected Systems

The vulnerability affects the WPFactory Wishlist for WooCommerce plugin for all releases up to and including version 3.3.0. Users running any of those versions are impacted, while installations of newer releases are presumed unaffected.

Risk and Exploitability

The CVSS score is 6.5, indicating moderate severity. The EPSS score is below 1 %, signalling a low probability of exploitation in the wild, and the flaw is not listed in the CISA KEV catalog. The most likely attack vector is remote via the public web interface, where an attacker can submit malicious payloads that are later rendered during page generation. Because it is a stored XSS flaw, the impact can persist until mitigated.

Generated by OpenCVE AI on April 27, 2026 at 21:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Wishlist for WooCommerce plugin to the newest release that addresses the XSS flaw.
  • If a patch is not yet available, disable or uninstall the plugin to eliminate the attack surface until a fix is released.
  • Use a web‑application firewall or security plugin to block script injection into the plugin’s input fields as an additional precaution.

Generated by OpenCVE AI on April 27, 2026 at 21:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Wed, 07 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpfactory
Wpfactory wishlist For Woocommerce
Vendors & Products Wordpress
Wordpress wordpress
Wpfactory
Wpfactory wishlist For Woocommerce

Tue, 06 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 06 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 06 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Wishlist for WooCommerce wish-list-for-woocommerce allows Stored XSS.This issue affects Wishlist for WooCommerce: from n/a through <= 3.3.0.
Title WordPress Wishlist for WooCommerce plugin <= 3.3.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
Wpfactory Wishlist For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:53:36.781Z

Reserved: 2025-12-31T20:12:23.433Z

Link: CVE-2025-69334

cve-icon Vulnrichment

Updated: 2026-01-06T16:54:27.054Z

cve-icon NVD

Status : Deferred

Published: 2026-01-06T17:15:46.157

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69334

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T22:00:16Z

Weaknesses