Ecwid Shopping Cart < 7.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE 2025-32195 | Plugin Vulnerabilities

Description

The Ecwid Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 7.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

ecwid-shopping-cart

Fixed in 7.0.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/cf810967-9fb9-4d6b-9671-1f41176248bb

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Ngô Thiên An (ancorn_)

Verified

No

WPVDB ID

a9ec77cb-c469-43ac-9379-39044f440ba3

Timeline

Publicly Published

2025-04-04 (about 11 months ago)

Added

2025-04-09 (about 11 months ago)

Last Updated

2025-05-01 (about 10 months ago)

Other

Published

Title

Published

2014-08-01

Title

Validated < 1.0.2 - Cross-Site Scripting (XSS)

Published

2024-10-31

Title

WP EASY RECIPE <= 1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-03-31

Title

IMPress for IDX Broker < 3.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-05-30

Title

History Log by click5 <= 1.0.13 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Published

2026-01-08

Title

Super Interactive Maps <= 2.3 - Reflected Cross-Site Scripting