The One Click Upsell Funnel for WooCommerce plugin for WordPress suffers from a stored cross-site scripting vulnerability (CWE-79) due to improper neutralization of input during web page generation. Specifically, the wps_wocuf_pro_yes shortcode does not adequately sanitize or escape user-supplied attributes, enabling authenticated users with contributor or higher privileges to inject arbitrary JavaScript code. This malicious code executes in the context of users visiting the compromised pages, potentially impacting confidentiality and integrity. The vulnerability affects all versions up to and including 3.4.9. The CVSS 3.1 base score is 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N), reflecting network attack vector, low attack complexity, required privileges, no user interaction, scope change, and limited confidentiality and integrity impact without availability impact. There is no vendor advisory or patch currently linked, and no known exploitation in the wild has been documented.

An authenticated attacker with contributor-level access or higher can inject persistent malicious scripts into pages via the vulnerable shortcode. These scripts execute in the browsers of users who visit the infected pages, potentially allowing theft of session tokens, defacement, or other malicious actions affecting confidentiality and integrity. The vulnerability does not impact availability. The scope is changed, meaning the vulnerability affects resources beyond the attacker’s privileges. No known active exploitation has been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict contributor-level access to trusted users only and consider disabling or removing the vulnerable shortcode if possible. Monitor official vendor channels for updates and apply patches promptly once available.