Quick View for WooCommerce < 2.2.17 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE 2025-58228 | Plugin Vulnerabilities

Description

The Quick View for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.2.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Fixed in 2.2.17

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/4135e93e-596d-4ada-86ad-4f161e7ed38e

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Prissy

Verified

No

WPVDB ID

c4eca673-5c49-4f22-afd7-01715c140469

Timeline

Publicly Published

2025-09-22 (about 9 months ago)

Added

2025-09-26 (about 8 months ago)

Last Updated

2025-09-29 (about 8 months ago)

Other

Published

Title

Published

2024-04-24

Title

Photo Gallery - GT3 Image Gallery & Gutenberg Block Gallery < 2.7.7.22 - Authenticated (Author+) Cross-Site Scripting

Published

2025-04-02

Title

Unlimited Elements For Elementor < 1.5.143 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2024-10-21

Title

ACL Floating Cart for WooCommerce <= 0.9 - Reflected Cross-Site Scripting

Published

2025-04-22

Title

VForm < 3.1.15 - Authenticated (Administrator+) Stored Cross-Site Scripting

Published

2026-02-26

Title

Elfsight WhatsApp Chat CC <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting