Platform
wordpress
Component
woocommerce
Opgelost in
10.0.3
CVE-2025-49042 describes a Stored Cross-Site Scripting (XSS) vulnerability discovered in WooCommerce. This flaw allows attackers to inject malicious scripts that are stored within the database and subsequently executed when other users access affected pages. Versions of WooCommerce from 0.0.0 up to and including 10.0.2 are vulnerable, and a fix is available in version 10.0.3.
Successful exploitation of this XSS vulnerability allows an attacker to execute arbitrary JavaScript code in the context of a victim's browser. This can lead to various malicious actions, including session hijacking, account takeover, redirection to phishing sites, and defacement of the WooCommerce store. The stored nature of the vulnerability means the malicious script persists until removed, potentially impacting multiple users over time. Attackers could leverage this to steal sensitive user data, such as login credentials or personal information, or even gain administrative access to the WooCommerce store if the user has sufficient privileges.
CVE-2025-49042 was published on 2025-10-29. Severity is currently assessed as Medium. No public exploits or active campaigns targeting this vulnerability have been observed at the time of writing. Monitor security advisories and threat intelligence feeds for any updates regarding exploitation attempts.
Exploit Status
EPSS
0.06% (18% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-49042 is to upgrade WooCommerce to version 10.0.3 or later, which contains the necessary fix. If upgrading immediately is not feasible, consider implementing temporary workarounds such as strict input validation and output encoding on all user-supplied data. Web Application Firewalls (WAFs) configured with rules to detect and block XSS payloads can also provide an additional layer of protection. Regularly scan your WooCommerce installation for vulnerabilities using a reputable security scanner.
Actualice el plugin WooCommerce a la versión 10.0.3 o superior para mitigar la vulnerabilidad de XSS. Asegúrese de realizar una copia de seguridad de su sitio web antes de actualizar cualquier plugin. Verifique la compatibilidad de la actualización con otros plugins y temas.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-49042 is a stored XSS vulnerability in WooCommerce versions 0.0.0–10.0.2. It allows attackers to inject malicious scripts stored in the database, potentially compromising user sessions.
You are affected if you are using WooCommerce versions 0.0.0 through 10.0.2. Check your WooCommerce version using wp --version and upgrade if necessary.
Upgrade WooCommerce to version 10.0.3 or later. Consider temporary workarounds like input validation and WAF rules if immediate upgrade is not possible.
No active exploitation campaigns have been observed at this time, but it's crucial to apply the fix promptly to prevent potential future attacks.
Refer to the official WooCommerce security advisory on the Automattic website for detailed information and updates regarding CVE-2025-49042.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.