WordPress Plugin Vulnerabilities

YITH WooCommerce Wishlist < 4.6.0 - Contributor+ Stored XSS via id Parameter

Description

The plugin is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
yith-woocommerce-wishlist
Fixed in 4.6.0

References

CVE
CVE-2025-5238
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/6d4b0434-61ca-47b1-9119-7208283f916f

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Asaf Mozes
Verified
No
WPVDB ID
bf6cc754-dfab-48fa-b709-924b49c2bca2

Timeline

Publicly Published
2025-06-13 (about 11 months ago)
Added
2025-06-16 (about 10 months ago)
Last Updated
2025-06-16 (about 10 months ago)

Other

Published
Title
Published
2025-01-07
Title
mcjh button shortcode <= 1.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-10-31
Title
Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE < 3.0.5 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Published
2021-01-15
Title
Pods < 2.7.27 - Authenticated Stored Cross-Site Scripting (XSS)
Published
2026-03-20
Title
Sherk Custom Post Type Displays <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute
Published
2024-05-17
Title
ShopLentor < 2.8.8 - Contributor+ Stored XSS