CVE-2025-50045: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ProWCPlugins Related Products Manager for WooCommerce
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ProWCPlugins Related Products Manager for WooCommerce allows DOM-Based XSS. This issue affects Related Products Manager for WooCommerce: from n/a through 1.6.2.
AI Analysis
Technical Summary
CVE-2025-50045 is a Cross-site Scripting (XSS) vulnerability classified under CWE-79, affecting the ProWCPlugins Related Products Manager plugin for WooCommerce. This vulnerability arises from improper neutralization of input during web page generation, specifically enabling DOM-based XSS attacks. The affected versions include all releases up to and including version 1.6.2. In a DOM-based XSS scenario, malicious scripts are injected and executed in the victim's browser by manipulating the Document Object Model, often without server-side input sanitization. This can lead to unauthorized script execution within the context of the affected web application. The vulnerability requires low attack complexity (AC:L), network attack vector (AV:N), and privileges limited to authenticated users (PR:L) with user interaction (UI:R). The scope is changed (S:C), indicating that the vulnerability affects components beyond the initially vulnerable module, potentially impacting other parts of the application or user sessions. The CVSS score is 6.5 (medium severity), reflecting limited but significant impacts on confidentiality, integrity, and availability. Specifically, an attacker could steal session tokens, perform actions on behalf of authenticated users, or manipulate displayed content, leading to partial data exposure or integrity loss. No known exploits are currently reported in the wild, and no patches are linked yet, indicating that mitigation may rely on vendor updates or temporary workarounds. The vulnerability is particularly relevant for websites using WooCommerce with this plugin installed, which is a common e-commerce platform on WordPress, widely used across Europe for online retail operations.
Potential Impact
For European organizations, especially those operating e-commerce platforms using WooCommerce with the ProWCPlugins Related Products Manager, this vulnerability poses a tangible risk. Exploitation could allow attackers to execute arbitrary scripts in the context of the affected web application, potentially leading to session hijacking, theft of customer data, manipulation of product recommendations, or fraudulent transactions. This undermines customer trust and could result in regulatory non-compliance, particularly under GDPR, due to unauthorized access or leakage of personal data. The medium severity score indicates that while the vulnerability is not critical, it can still cause meaningful disruption and reputational damage. Given the widespread adoption of WooCommerce in small to medium enterprises across Europe, the attack surface is significant. Additionally, the requirement for authenticated user privileges and user interaction suggests that attackers may target employees or customers with access to the system, increasing the risk of social engineering or phishing campaigns to facilitate exploitation. The scope change implies that the vulnerability could affect multiple components, potentially amplifying the impact beyond a single plugin feature.
Mitigation Recommendations
Apply vendor patches immediately once available to address the input neutralization flaw in the Related Products Manager plugin. Implement strict Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of DOM-based XSS. Conduct thorough input validation and output encoding on all user-controllable inputs, especially those influencing the DOM in the plugin's functionality. Limit plugin usage to trusted users and restrict administrative privileges to reduce the risk of authenticated exploitation. Regularly audit and monitor web application logs for unusual activities indicative of XSS attempts or successful exploitation. Educate staff and users about phishing and social engineering tactics that could be used to gain authenticated access necessary for exploitation. Consider deploying Web Application Firewalls (WAF) with custom rules to detect and block XSS payloads targeting the affected plugin endpoints. Temporarily disable or replace the Related Products Manager plugin if immediate patching is not feasible, to eliminate the attack vector.
Affected Countries
Germany, United Kingdom, France, Netherlands, Italy, Spain, Poland, Sweden
CVE-2025-50045: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ProWCPlugins Related Products Manager for WooCommerce
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ProWCPlugins Related Products Manager for WooCommerce allows DOM-Based XSS. This issue affects Related Products Manager for WooCommerce: from n/a through 1.6.2.
AI-Powered Analysis
Technical Analysis
CVE-2025-50045 is a Cross-site Scripting (XSS) vulnerability classified under CWE-79, affecting the ProWCPlugins Related Products Manager plugin for WooCommerce. This vulnerability arises from improper neutralization of input during web page generation, specifically enabling DOM-based XSS attacks. The affected versions include all releases up to and including version 1.6.2. In a DOM-based XSS scenario, malicious scripts are injected and executed in the victim's browser by manipulating the Document Object Model, often without server-side input sanitization. This can lead to unauthorized script execution within the context of the affected web application. The vulnerability requires low attack complexity (AC:L), network attack vector (AV:N), and privileges limited to authenticated users (PR:L) with user interaction (UI:R). The scope is changed (S:C), indicating that the vulnerability affects components beyond the initially vulnerable module, potentially impacting other parts of the application or user sessions. The CVSS score is 6.5 (medium severity), reflecting limited but significant impacts on confidentiality, integrity, and availability. Specifically, an attacker could steal session tokens, perform actions on behalf of authenticated users, or manipulate displayed content, leading to partial data exposure or integrity loss. No known exploits are currently reported in the wild, and no patches are linked yet, indicating that mitigation may rely on vendor updates or temporary workarounds. The vulnerability is particularly relevant for websites using WooCommerce with this plugin installed, which is a common e-commerce platform on WordPress, widely used across Europe for online retail operations.
Potential Impact
For European organizations, especially those operating e-commerce platforms using WooCommerce with the ProWCPlugins Related Products Manager, this vulnerability poses a tangible risk. Exploitation could allow attackers to execute arbitrary scripts in the context of the affected web application, potentially leading to session hijacking, theft of customer data, manipulation of product recommendations, or fraudulent transactions. This undermines customer trust and could result in regulatory non-compliance, particularly under GDPR, due to unauthorized access or leakage of personal data. The medium severity score indicates that while the vulnerability is not critical, it can still cause meaningful disruption and reputational damage. Given the widespread adoption of WooCommerce in small to medium enterprises across Europe, the attack surface is significant. Additionally, the requirement for authenticated user privileges and user interaction suggests that attackers may target employees or customers with access to the system, increasing the risk of social engineering or phishing campaigns to facilitate exploitation. The scope change implies that the vulnerability could affect multiple components, potentially amplifying the impact beyond a single plugin feature.
Mitigation Recommendations
Apply vendor patches immediately once available to address the input neutralization flaw in the Related Products Manager plugin. Implement strict Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of DOM-based XSS. Conduct thorough input validation and output encoding on all user-controllable inputs, especially those influencing the DOM in the plugin's functionality. Limit plugin usage to trusted users and restrict administrative privileges to reduce the risk of authenticated exploitation. Regularly audit and monitor web application logs for unusual activities indicative of XSS attempts or successful exploitation. Educate staff and users about phishing and social engineering tactics that could be used to gain authenticated access necessary for exploitation. Consider deploying Web Application Firewalls (WAF) with custom rules to detect and block XSS payloads targeting the affected plugin endpoints. Temporarily disable or replace the Related Products Manager plugin if immediate patching is not feasible, to eliminate the attack vector.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Patchstack
- Date Reserved
- 2025-06-11T16:08:50.967Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68568e85aded773421b5aaf9
Added to database: 6/21/2025, 10:50:45 AM
Last enriched: 6/21/2025, 11:08:57 AM
Last updated: 8/14/2025, 12:07:56 AM
Views: 12
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.