Flexible PDF Coupons < 1.10.3 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE 2025-22825 | Plugin Vulnerabilities

Description

The Flexible PDF Coupons – Gift Cards & Vouchers for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.10.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

flexible-coupons

Fixed in 1.10.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/a818abe9-5520-4c63-9b41-52865ebd1820

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

SavPhill (Savphill)

Verified

No

WPVDB ID

3e388811-3789-4294-bdbc-1ea49bfb078f

Timeline

Publicly Published

2025-01-15 (about 1 year ago)

Added

2025-01-22 (about 1 year ago)

Last Updated

2025-01-22 (about 1 year ago)

Other

Published

Title

Published

2024-08-29

Title

PowerPress Podcasting < 11.9.18 - Author+ XSS

Published

2023-11-29

Title

NextScripts < 4.4.3 - Reflected Cross-Site Scripting via code

Published

2025-10-02

Title

Epic Bootstrap Buttons <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via icol Parameter

Published

2024-07-08

Title

Panda Video < 1.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-11-01

Title

Sastra Essential Addons for Elementor < 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting