Description
The YITH WooCommerce Quick View plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's yith_quick_view shortcode in all versions up to, and including, 2.7.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-12-13
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (contributor+)
Action: Apply Patch
AI Analysis

Impact

The YITH WooCommerce Quick View WordPress plugin contains a stored cross‑site scripting flaw that allows an attacker with contributor or higher privileges to inject arbitrary JavaScript through attributes of the yith_quick_view shortcode. Once injected, the script executes for any user who views the affected page, potentially enabling script‑based attacks such as session hijacking, defacement, or malicious navigation. This weakness is identified as CWE‑79 and arises from insufficient input sanitization and output escaping during processing of the shortcode attributes.

Affected Systems

The vulnerability affects all releases of the YITH WooCommerce Quick View plugin up to and including version 2.7.0. Administrators of WordPress sites that have installed this plugin should verify the installed version and determine whether a newer release is available.

Risk and Exploitability

With a CVSS score of 6.4 the flaw represents a moderate severity vulnerability and an EPSS score of less than 1% indicates that exploitation is expected to be rare. The attacker must already be authenticated at a contributor level or higher, and the attack likely originates from the plugin’s front‑end or administration interfaces where the shortcode can be inserted. The vulnerability is not listed in the CISA KEV catalog but the potential impact of cross‑site script execution warrants timely remediation.

Generated by OpenCVE AI on April 21, 2026 at 17:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the YITH WooCommerce Quick View plugin to the newest release (the issue is fixed in versions after 2.7.0).
  • If an update is not immediately feasible, disable the plugin or remove the yith_quick_view shortcode from all pages to prevent script injection.
  • Audit the site for any injected scripts and delete any suspicious code; restrict contributor access to users who absolutely need it.

Generated by OpenCVE AI on April 21, 2026 at 17:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 14 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Yithemes
Yithemes yith Woocommerce Quick View
Vendors & Products Wordpress
Wordpress wordpress
Yithemes
Yithemes yith Woocommerce Quick View

Sat, 13 Dec 2025 04:45:00 +0000

Type Values Removed Values Added
Description The YITH WooCommerce Quick View plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's yith_quick_view shortcode in all versions up to, and including, 2.7.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title YITH WooCommerce Quick View <= 2.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via yith_quick_view Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Yithemes Yith Woocommerce Quick View
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:06:09.943Z

Reserved: 2025-08-05T20:10:29.300Z

Link: CVE-2025-8617

cve-icon Vulnrichment

Updated: 2025-12-15T15:43:21.786Z

cve-icon NVD

Status : Deferred

Published: 2025-12-13T16:16:56.130

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8617

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:15:25Z

Weaknesses