CVE-2025-10167 is a stored cross-site scripting vulnerability in the Stock History & Reports Manager for WooCommerce plugin for WordPress. The issue exists due to improper neutralization of input during web page generation, specifically in the handling of the 'alg_wc_stock_snapshot_restocked' shortcode. Authenticated attackers with contributor or higher privileges can inject arbitrary web scripts via insufficiently sanitized shortcode attributes. These scripts execute in the context of users viewing the injected pages, potentially leading to session hijacking or other script-based attacks. The vulnerability affects all plugin versions up to and including 2.2.2. There is no vendor advisory or patch information available to confirm remediation status.

Successful exploitation allows authenticated users with contributor-level access or above to inject persistent malicious scripts into pages via shortcode attributes. These scripts execute in the browsers of users who view the affected pages, potentially compromising user sessions or performing unauthorized actions within the context of the victim's browser. The vulnerability does not affect availability but impacts confidentiality and integrity to a limited extent. The CVSS 3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, required privileges (low), no user interaction, and partial impact on confidentiality and integrity.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict contributor-level access to trusted users only and consider disabling or removing the vulnerable plugin if possible. Monitor for plugin updates from wpcodefactory addressing this vulnerability and apply them promptly once available.