WordPress Plugin Vulnerabilities

EAN for WooCommerce < 5.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description

The EAN for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
ean-for-woocommerce
Fixed in 5.4.7

References

CVE
CVE-2025-48249
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/2c38833c-654e-4fe4-b642-ed880a928062

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
muhammad yudha
Verified
No
WPVDB ID
e190165c-50e9-4fc9-ba21-a9e436e2f8bd

Timeline

Publicly Published
2025-05-19 (about 1 year ago)
Added
2025-05-29 (about 1 year ago)
Last Updated
2025-05-29 (about 1 year ago)

Other

Published
Title
Published
2024-06-14
Title
Restaurant Menu and Food Ordering < 2.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2023-07-17
Title
Bubble Menu < 3.0.5 - Admin+ Stored XSS
Published
2023-01-10
Title
Strong Testimonials < 3.0.3 - Contributor+ Stored XSS via Shortcode
Published
2024-11-18
Title
Library Bookshelves < 5.9 - Reflected Cross-Site Scripting
Published
2025-03-24
Title
Easy Page Transition <= 1.0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting