CVE-2025-14767: XSS in WPC Badge Management for WooCommerce
Platform
wordpress
Component
wpc-badge-management
Fixed in
3.1.7
CVE-2025-14767 describes a Stored Cross-Site Scripting (XSS) vulnerability discovered in the WPC Badge Management for WooCommerce plugin. This flaw allows authenticated attackers, specifically those with Shop Manager-level access or higher, to inject arbitrary web scripts. The vulnerability affects versions 0.0.0 through 3.1.6 and is resolved in version 3.1.7.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Impact and Attack Scenarios
Successful exploitation of CVE-2025-14767 allows an attacker to execute malicious JavaScript code within the context of a user's browser session. This could lead to various consequences, including session hijacking, credential theft, redirection to phishing sites, or defacement of the website. The attacker needs to be authenticated with Shop Manager privileges, limiting the scope of potential victims, but still posing a significant risk to administrators and users with elevated access. The impact is amplified if the injected script targets sensitive user data or critical website functionality.
Exploitation Context
CVE-2025-14767 is currently not listed on KEV or EPSS, indicating a low probability of active exploitation. Public proof-of-concept (POC) code is not widely available as of the publication date. The vulnerability was disclosed on 2026-05-13, and there's no immediate evidence of widespread exploitation campaigns. Refer to the official WordPress security advisory for further details.
Threat Intelligence
Exploit Status
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- High — admin or privileged account required to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
- Confidentiality
- Low — partial or indirect data access. Attacker gains limited information.
- Integrity
- Low — attacker can modify some data with limited scope or impact.
- Availability
- None — no availability impact. Service remains fully operational.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
Mitigation and Workarounds
The primary mitigation for CVE-2025-14767 is to immediately upgrade the WPC Badge Management for WooCommerce plugin to version 3.1.7 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider restricting access to the 'wpcbmbestseller' shortcode to trusted users only. While a direct WAF rule is difficult to implement without knowing the exact payload, monitor web application firewalls for suspicious JavaScript injection attempts targeting the plugin's functionality. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload through the 'wpcbmbestseller' shortcode and verifying that it is properly sanitized and does not execute.
How to fix
Update to version 3.1.7, or a newer patched version
Frequently asked questions
What is CVE-2025-14767 — XSS in WPC Badge Management for WooCommerce?
CVE-2025-14767 is a Stored Cross-Site Scripting (XSS) vulnerability in the WPC Badge Management for WooCommerce plugin. It allows authenticated attackers with Shop Manager access to inject malicious scripts via the 'wpcbmbestseller' shortcode, potentially compromising user sessions.
Am I affected by CVE-2025-14767 in WPC Badge Management for WooCommerce?
You are affected if you are using WPC Badge Management for WooCommerce versions 0.0.0 through 3.1.6. Check your plugin version and upgrade immediately if you are vulnerable.
How do I fix CVE-2025-14767 in WPC Badge Management for WooCommerce?
Upgrade the WPC Badge Management for WooCommerce plugin to version 3.1.7 or later. If immediate upgrade is not possible, restrict access to the 'wpcbmbestseller' shortcode.
Is CVE-2025-14767 being actively exploited?
As of the publication date, there is no evidence of widespread exploitation campaigns targeting CVE-2025-14767, but vigilance is still advised.
Where can I find the official WPC Badge Management advisory for CVE-2025-14767?
Refer to the official WordPress security advisory and the WPC Badge Management plugin documentation for the latest information and updates regarding CVE-2025-14767.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Scan your WordPress project now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...