Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in realvirtualmx RVCFDI para Woocommerce rvcfdi-para-woocommerce allows Reflected XSS.This issue affects RVCFDI para Woocommerce: from n/a through <= 8.1.8.
Published: 2026-02-20
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting (XSS) in the RVCFDI para Woocommerce plugin
Action: Apply Patch
AI Analysis

Impact

This vulnerability is an Improper Neutralization of Input During Web Page Generation that allows a reflected cross‑site scripting flaw in the WordPress RVCFDI para Woocommerce plugin. An attacker can inject arbitrary JavaScript into a page, potentially enabling session hijacking, defacement, or credential theft against users who visit the crafted link.

Affected Systems

The issue affects the realvirtualmx RVCFDI para Woocommerce plugin on WordPress installations, specifically all releases from the initial version up to and including 8.1.8.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity level, while the EPSS score of less than 1% suggests a low probability of exploitation in the near term. The vulnerability is not currently listed in the CISA KEV catalog. Since it is a reflected XSS flaw, the likely attack vector involves a malicious URL or form submission that the site reflects back to the user without proper sanitization.

Generated by OpenCVE AI on April 27, 2026 at 20:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the RVCFDI para Woocommerce plugin to version 8.1.9 or later, which removes the vulnerable input handling.
  • If an update is not immediately possible, disable or remove any plugin features that render unsanitized user input in the page output, such as dangerous shortcodes or form fields.
  • Implement a strict Content Security Policy that blocks the execution of inline scripts, providing an additional layer against XSS execution.

Generated by OpenCVE AI on April 27, 2026 at 20:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Realvirtualmx
Realvirtualmx rvcfdi Para Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Realvirtualmx
Realvirtualmx rvcfdi Para Woocommerce
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in realvirtualmx RVCFDI para Woocommerce rvcfdi-para-woocommerce allows Reflected XSS.This issue affects RVCFDI para Woocommerce: from n/a through <= 8.1.8.
Title WordPress RVCFDI para Woocommerce plugin <= 8.1.8 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Realvirtualmx Rvcfdi Para Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:58:07.545Z

Reserved: 2025-12-31T20:13:11.108Z

Link: CVE-2025-69386

cve-icon Vulnrichment

Updated: 2026-02-23T21:31:28.480Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:23.867

Modified: 2026-06-17T10:00:36.080

Link: CVE-2025-69386

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T20:30:12Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')