Impact
The vulnerability is a subscriber Cross Site Scripting flaw present in WooCommerce Designer Pro versions up to 1.9.34. It allows malicious script injection through the plugin’s subscriber interface, potentially compromising the confidentiality and integrity of data presented to users and enabling attackers to steal session cookies or perform other client‑side attacks. This weakness is categorized under CWE‑79. The impact is limited to the browsers of users who view the compromised content, but it can lead to credential theft, defacement, or the execution of arbitrary client‑side code.
Affected Systems
WordPress sites that install WooCommerce Designer Pro version 1.9.34 or older are affected. The flaw resides in the plugin’s subscriber handling functionality and affects any site using the plugin without an updated version.
Risk and Exploitability
The CVSS score is 6.5, indicating a moderate severity. EPSS is not available, so current exploitation probability cannot be quantified. Since the vulnerability is not listed in the CISA KEV catalog, public exploitation has not been confirmed. The likely attack vector is a web‑based interaction with the plugin’s subscriber interface, which may be accessed by authenticated or unauthenticated users depending on site configuration. Mitigation requires patching the plugin to version 1.9.35 or later, as provided by the vendor. In absence of an immediate patch, site administrators can consider temporarily disabling the plugin or applying a site‑wide content‑security policy to mitigate script injection. The vulnerability’s impact emphasizes the need for timely vendor updates and monitoring of potential malicious scripts.
OpenCVE Enrichment