Woocommerce < 9.7.1 – Shop Manager+ Stored XSS via New Product Form | CVE 2025-26762 | Plugin Vulnerabilities

Description

The plugin does not escape its product title after decoding and displaying it in a page, which could allow ShopManager users to perform Stored XSS attacks

Proof of Concept

Navigate to WooCommerce > Settings > Advanced > Features.
Check the option “Try new product editor (Beta)” and save changes.
A payment option also needs to be enabled, here we can turn on the ‘Cash on Delivery’ option in WooCommerce > Settings > Payments.

As Shop Manager, add a new product. Under the basic details, add the products name as &lt;img src onerror=alert('test')&gt;

Add a price, and publish the product. Now view the product, and ‘add to cart’.

Go to the Cart page to trigger the XSS

Affects Plugins

Fixed in 9.7.1

References

CVE

URL

https://developer.woocommerce.com/2025/03/04/woocommerce-9-7-1-dot-release/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

savphill

Submitter

savphill

Submitter website

https://hackerone.com/savphill

Verified

Yes

WPVDB ID

94cbfc1b-9a55-44fa-b1d9-0c47980ace3c

Timeline

Publicly Published

2025-03-04 (about 1 year ago)

Added

2025-03-07 (about 1 year ago)

Last Updated

2025-03-07 (about 1 year ago)

Other

Published

Title

Published

2025-03-24

Title

ARPrice <= 4.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2011-11-17

Title

Flexible Custom Post Type < 0.1.7 - XSS

Published

2026-02-25

Title

Photography <= 7.6.1 - Unauthenticated Stored Cross-Site Scripting

Published

2025-12-30

Title

Wishlist for WooCommerce < 3.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-01-10

Title

User Messages <= 1.2.4 - Reflected XSS