WordPress Plugin Vulnerabilities

Product Blocks for WooCommerce < 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The Product Blocks for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
product-blocks-for-woocommerce
Fixed in 2.0

References

CVE
CVE-2025-22674
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/edb62de4-2d98-46fa-9244-585a547c0d27

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Peter Thaleikis
Verified
No
WPVDB ID
b186cdd7-2831-490d-8bcc-0dd176471ca7

Timeline

Publicly Published
2025-02-03 (about 1 year ago)
Added
2025-02-12 (about 1 year ago)
Last Updated
2025-02-12 (about 1 year ago)

Other

Published
Title
Published
2021-09-09
Title
Border Loading Bar <= 1.0.1 - Reflected Cross-Site Scripting
Published
2024-03-13
Title
WPFunnels < 3.0.7 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2023-04-12
Title
UserPlus <= 2.0 - Stored XSS via CSRF
Published
2020-09-09
Title
LearnPress < 3.2.7.3 - CSRF & XSS
Published
2025-02-21
Title
Better Customer List for WooCommerce <= 1.2.3 - Reflected Cross-Site Scripting