CVE-2025-14626 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WordPress plugin 'QR Code for WooCommerce order emails, PDF invoices, packing slips' developed by www15to. This plugin is widely used to embed QR codes into WooCommerce-generated order emails, PDF invoices, and packing slips to facilitate order processing and tracking. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically due to insufficient sanitization and escaping of user-supplied attributes in the plugin's shortcode functionality. Authenticated attackers with contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into shortcode attributes. Because the malicious script is stored, it executes whenever any user accesses the affected page, potentially including administrators or customers viewing order details. The CVSS 3.1 score of 6.4 reflects a medium severity level, with an attack vector over the network, low attack complexity, and requiring privileges of at least contributor level but no user interaction. The impact includes partial confidentiality and integrity compromise, such as session hijacking, data theft, or unauthorized actions performed in the context of the victim's browser session. However, availability is not affected. No public exploits have been reported yet, but the vulnerability poses a significant risk given the plugin's role in e-commerce workflows and the common presence of multiple contributors in WooCommerce environments. The vulnerability was published on January 7, 2026, and no official patches have been linked yet, emphasizing the need for proactive mitigation.

For European organizations, this vulnerability could lead to unauthorized script execution within the context of WooCommerce order management pages, potentially exposing sensitive customer data, including order details and personal information. Attackers could leverage this to hijack user sessions, perform actions on behalf of legitimate users, or inject malicious content that damages brand reputation. Since WooCommerce is a popular e-commerce platform in Europe, especially among small and medium enterprises, the risk is amplified in organizations with multiple content contributors who have at least contributor-level access. The vulnerability could disrupt business operations by undermining customer trust and exposing compliance risks related to GDPR due to potential data leakage. Although availability is not impacted, the confidentiality and integrity breaches could lead to financial losses and regulatory penalties. The lack of known exploits in the wild currently provides a window for mitigation, but the medium severity score indicates that exploitation is feasible and impactful enough to warrant urgent attention.

1. Monitor for official patches or updates from the www15to plugin vendor and apply them immediately once available. 2. Until a patch is released, restrict contributor-level access and above to trusted users only, minimizing the risk of malicious shortcode injection. 3. Implement additional input validation and output encoding at the WordPress application or web server level to sanitize shortcode attributes before rendering. 4. Employ Web Application Firewalls (WAFs) with rules targeting XSS payloads in shortcode parameters to block suspicious requests. 5. Conduct regular security audits and code reviews of custom plugins or themes that interact with WooCommerce shortcodes. 6. Educate content contributors about secure input practices and the risks of injecting untrusted data. 7. Use Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected pages. 8. Monitor logs for unusual activity related to shortcode usage or script execution to detect potential exploitation attempts early.