The CoDesigner WooCommerce Builder plugin for WordPress contains a stored cross-site scripting vulnerability (CWE-79) in its Shop Slider, Tabs Classic, and Image Comparison widgets. This vulnerability is due to improper neutralization of input during web page generation, specifically insufficient input sanitization and output escaping of user-supplied attributes. Authenticated attackers with contributor-level privileges or higher can exploit this to inject arbitrary web scripts that execute when other users access the compromised pages. The vulnerability affects all plugin versions up to 4.4.1. The CVSS 3.1 base score is 6.4 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N), reflecting network attack vector, low attack complexity, and partial impact on confidentiality and integrity with no impact on availability. No patch or vendor advisory is currently available to confirm remediation status.

An authenticated user with contributor-level access or higher can inject persistent malicious scripts into pages via vulnerable widgets. These scripts execute in the context of other users viewing the pages, potentially leading to partial confidentiality and integrity compromise. There is no reported impact on availability. The vulnerability can facilitate actions such as session hijacking or unauthorized actions performed by victim users within the affected WordPress site.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict contributor-level access to trusted users only and consider disabling or avoiding use of the affected widgets (Shop Slider, Tabs Classic, Image Comparison) to reduce exposure. Monitor vendor channels for updates regarding patches or official mitigations.