CVE-2025-14626 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, found in the 'QR Code for WooCommerce order emails, PDF invoices, packing slips' WordPress plugin developed by www15to. This vulnerability exists in all plugin versions up to and including 1.9.42. The root cause is insufficient sanitization and escaping of user-supplied attributes in the plugin's shortcode, which allows authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code. Because the malicious script is stored and rendered in order emails, PDF invoices, and packing slips, it executes whenever a user accesses these pages or documents, potentially affecting administrators, shop managers, or customers. The vulnerability requires network access (AV:N) and low attack complexity (AC:L), with privileges required (PR:L) but no user interaction (UI:N). The scope is changed (S:C) because the vulnerability can affect resources beyond the attacker’s privileges, impacting confidentiality and integrity (C:L, I:L) but not availability (A:N). Although no exploits are currently known in the wild, the vulnerability poses a significant risk of session hijacking, credential theft, or unauthorized actions within the WooCommerce environment. The vulnerability was published on January 7, 2026, and no official patches are currently linked, indicating the need for immediate attention by site administrators. The plugin is widely used in WooCommerce-based e-commerce sites, which are prevalent across Europe.

For European organizations, particularly e-commerce businesses using WooCommerce with this plugin, the vulnerability can lead to unauthorized script execution in administrative or customer-facing contexts. This can result in session hijacking, theft of sensitive customer data such as payment or personal information, unauthorized order manipulation, or defacement of invoices and packing slips. The compromise of administrative accounts could lead to broader site control loss, data breaches, and reputational damage. Given the medium CVSS score and the requirement for contributor-level access, the threat is significant but somewhat mitigated by the need for authentication. However, many European organizations have multiple contributors or shop managers, increasing the attack surface. The vulnerability could also be leveraged in targeted attacks against high-value e-commerce platforms, especially those handling large volumes of transactions or sensitive customer data. Regulatory compliance risks under GDPR are also heightened if customer data confidentiality is compromised.

1. Monitor the plugin vendor’s official channels for a security patch and apply updates immediately once available. 2. Until a patch is released, restrict contributor-level and higher permissions to trusted users only, minimizing the risk of malicious shortcode injection. 3. Implement manual input validation and output escaping for all shortcode attributes if possible, using WordPress security best practices and functions such as esc_attr() and esc_html(). 4. Conduct regular security audits of user-generated content and shortcodes to detect any suspicious scripts or injections. 5. Employ Web Application Firewalls (WAF) with custom rules to detect and block malicious script patterns targeting the plugin’s shortcode parameters. 6. Educate content contributors about the risks of injecting untrusted content and enforce strict content policies. 7. Maintain regular backups of WooCommerce data and plugin configurations to enable quick recovery in case of compromise. 8. Monitor logs for unusual activities related to order emails, invoices, and packing slips generation or access.