Scan free
MEDIUMCVE-2025-49042CVSS 5.9

CVE-2025-49042: Stored XSS in WooCommerce 10.0.2

Platform

wordpress

Component

woocommerce

Fixed in

10.0.3

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026
View on NVD
Save

CVE-2025-49042 describes a Stored Cross-Site Scripting (XSS) vulnerability discovered in WooCommerce. This flaw allows attackers to inject malicious scripts that are stored within the database and subsequently executed when other users access affected pages. Versions of WooCommerce from 0.0.0 up to and including 10.0.2 are vulnerable, and a fix is available in version 10.0.3.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

Successful exploitation of this XSS vulnerability allows an attacker to execute arbitrary JavaScript code in the context of a victim's browser. This can lead to various malicious actions, including session hijacking, account takeover, redirection to phishing sites, and defacement of the WooCommerce store. The stored nature of the vulnerability means the malicious script persists until removed, potentially impacting multiple users over time. Attackers could leverage this to steal sensitive user data, such as login credentials or personal information, or even gain administrative access to the WooCommerce store if the user has sufficient privileges.

Exploitation Context

CVE-2025-49042 was published on 2025-10-29. Severity is currently assessed as Medium. No public exploits or active campaigns targeting this vulnerability have been observed at the time of writing. Monitor security advisories and threat intelligence feeds for any updates regarding exploitation attempts.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
NextGuard80% still vulnerable

EPSS

0.06% (18% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L5.9MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredHighAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityLowRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
High — admin or privileged account required to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
Low — partial or intermittent denial of service. Attacker can degrade performance.

Affected Software

Componentwoocommerce
VendorAutomattic
Affected rangeFixed in
0 – 10.0.210.0.3

Package Information

Active installs
7.0MPopular
Plugin rating
4.5
Requires WordPress
6.8+
Compatible up to
6.9.4
Requires PHP
7.4+
Homepage

Weakness Classification (CWE)

CWE-79

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2025-49042 is to upgrade WooCommerce to version 10.0.3 or later, which contains the necessary fix. If upgrading immediately is not feasible, consider implementing temporary workarounds such as strict input validation and output encoding on all user-supplied data. Web Application Firewalls (WAFs) configured with rules to detect and block XSS payloads can also provide an additional layer of protection. Regularly scan your WooCommerce installation for vulnerabilities using a reputable security scanner.

How to fix

Actualice el plugin WooCommerce a la versión 10.0.3 o superior para mitigar la vulnerabilidad de XSS. Asegúrese de realizar una copia de seguridad de su sitio web antes de actualizar cualquier plugin.  Verifique la compatibilidad de la actualización con otros plugins y temas.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-49042 — Stored XSS in WooCommerce?

CVE-2025-49042 is a stored XSS vulnerability in WooCommerce versions 0.0.0–10.0.2. It allows attackers to inject malicious scripts stored in the database, potentially compromising user sessions.

Am I affected by CVE-2025-49042 in WooCommerce?

You are affected if you are using WooCommerce versions 0.0.0 through 10.0.2. Check your WooCommerce version using wp --version and upgrade if necessary.

How do I fix CVE-2025-49042 in WooCommerce?

Upgrade WooCommerce to version 10.0.3 or later. Consider temporary workarounds like input validation and WAF rules if immediate upgrade is not possible.

Is CVE-2025-49042 being actively exploited?

No active exploitation campaigns have been observed at this time, but it's crucial to apply the fix promptly to prevent potential future attacks.

Where can I find the official WooCommerce advisory for CVE-2025-49042?

Refer to the official WooCommerce security advisory on the Automattic website for detailed information and updates regarding CVE-2025-49042.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs