The Big Post Shipping for WooCommerce plugin for WordPress suffers from a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-10191. This vulnerability is due to improper neutralization of user-supplied input during web page generation, specifically within the 'wooboigpost_shipping_status' shortcode. The plugin fails to adequately sanitize and escape attributes provided by users, allowing an attacker with contributor-level or higher privileges to inject arbitrary JavaScript code into pages. Because the malicious script is stored persistently, it executes every time any user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability has a CVSS v3.1 base score of 6.4, reflecting a medium severity level, with an attack vector of network, low attack complexity, requiring privileges (PR:L), no user interaction, and a scope change due to impact on other components. No patches or fixes have been linked yet, and no known exploits are reported in the wild. This vulnerability highlights the risks of insufficient input validation in WordPress plugins, especially those that handle user-generated content or shortcodes.

If exploited, this vulnerability can lead to significant security risks for organizations using the affected plugin. Attackers with contributor-level access can inject malicious scripts that execute in the browsers of users visiting the compromised pages. This can result in session hijacking, credential theft, unauthorized actions performed with the victim's privileges, defacement, or distribution of malware. Since WooCommerce is widely used for e-commerce, such attacks could undermine customer trust, lead to data breaches, and cause financial losses. The requirement for authenticated access limits the attack surface somewhat, but insider threats or compromised contributor accounts could be leveraged. The scope change indicates that the vulnerability affects components beyond the immediate plugin, potentially impacting the broader WordPress environment and its users. Organizations relying on this plugin for shipping management should consider the risk to their e-commerce operations and customer data.

Organizations should immediately audit their WordPress installations to identify the presence of the Big Post Shipping for WooCommerce plugin and verify the version in use. Since no official patches are currently linked, administrators should consider the following mitigations: restrict contributor-level access strictly to trusted users, implement Web Application Firewall (WAF) rules to detect and block suspicious shortcode attribute inputs, and monitor logs for unusual activity related to the 'wooboigpost_shipping_status' shortcode. Additionally, temporarily disabling or removing the plugin until a patch is available can prevent exploitation. Developers and site administrators should also review and sanitize all user inputs rigorously and apply output escaping best practices in custom shortcodes. Keeping WordPress core and all plugins updated is essential once a fix is released. Regular security audits and user privilege reviews will help reduce the risk of exploitation.