Free WooCommerce Theme 99fy Extension < 1.2.9 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE 2025-22801 | Plugin Vulnerabilities

Description

The Free WooCommerce Theme 99fy Extension plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Fixed in 1.2.9

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/757e7eec-ac03-4d5b-8307-b167f9b3d5b5

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

João Pedro Soares de Alcântara

Verified

No

WPVDB ID

cc115d8b-5700-4bb5-8df5-024af98c4e67

Timeline

Publicly Published

2025-01-07 (about 1 year ago)

Added

2025-01-14 (about 1 year ago)

Last Updated

2025-01-14 (about 1 year ago)

Other

Published

Title

Published

2025-03-03

Title

Shortcodes Ultimate < 7.3.4 - Contributor+ Stored XSS

Published

2021-12-20

Title

Profile Extra Fields < 1.2.4 - Reflected Cross-Site Scripting

Published

2025-11-07

Title

aThemes Addons for Elementor < 1.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Call To Action Widget

Published

2024-06-22

Title

if-so < 1.8.0.4 - Admin+ Stored XSS

Published

2025-09-04

Title

Flatsome < 3.20.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode