CVE-2025-14767: XSS in WPC Badge Management for WooCommerce

Successful exploitation of CVE-2025-14767 allows an attacker to execute malicious JavaScript code within the context of a user's browser session. This could lead to various consequences, including session hijacking, credential theft, redirection to phishing sites, or defacement of the website. The attacker needs to be authenticated with Shop Manager privileges, limiting the scope of potential victims, but still posing a significant risk to administrators and users with elevated access. The impact is amplified if the injected script targets sensitive user data or critical website functionality.

1. Reserved2025-12-16
2. 发布日期2026-05-13

The primary mitigation for CVE-2025-14767 is to immediately upgrade the WPC Badge Management for WooCommerce plugin to version 3.1.7 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider restricting access to the 'wpcbmbestseller' shortcode to trusted users only. While a direct WAF rule is difficult to implement without knowing the exact payload, monitor web application firewalls for suspicious JavaScript injection attempts targeting the plugin's functionality. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload through the 'wpcbmbestseller' shortcode and verifying that it is properly sanitized and does not execute.