CVE-2025-5767: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in wpwham Crowdfunding for WooCommerce
The Crowdfunding for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘width’ parameter in all versions up to, and including, 3.1.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Analysis
Technical Summary
CVE-2025-5767 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Crowdfunding for WooCommerce plugin developed by wpwham for WordPress. This vulnerability affects all versions up to and including 3.1.14. The root cause is improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of the 'width' parameter. An authenticated attacker with Contributor-level access or higher can exploit this flaw by injecting arbitrary malicious scripts into pages. These scripts are stored persistently and executed whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or redirection to malicious sites. The vulnerability has a CVSS 3.1 base score of 6.4, indicating a medium severity level. The attack vector is network-based, requires low attack complexity, and privileges at the Contributor level, but no user interaction is needed for exploitation. The scope is changed, meaning the vulnerability can affect resources beyond the initially compromised component, and the impact affects confidentiality and integrity but not availability. No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability is classified under CWE-79, which concerns improper input neutralization leading to XSS attacks.
Potential Impact
For European organizations using WordPress with the Crowdfunding for WooCommerce plugin, this vulnerability poses a significant risk to the confidentiality and integrity of user data and site content. Attackers with Contributor-level access could inject malicious scripts that execute in the context of other users' browsers, potentially stealing session cookies, credentials, or performing unauthorized actions on behalf of users with higher privileges. This could lead to data breaches, defacement of crowdfunding campaigns, or manipulation of fundraising information, undermining trust and causing reputational damage. Since crowdfunding platforms often handle sensitive financial transactions and donor information, the exploitation of this vulnerability could also have regulatory implications under GDPR if personal data is compromised. The lack of user interaction required for exploitation increases the risk of widespread impact once an attacker gains the necessary access. Although no known exploits are currently reported, the medium severity and ease of exploitation by authenticated users make timely mitigation critical to prevent potential attacks.
Mitigation Recommendations
European organizations should immediately audit their WordPress installations to identify if the Crowdfunding for WooCommerce plugin is in use and verify the version. Until an official patch is released, organizations should consider the following specific mitigations: 1) Restrict Contributor-level access strictly to trusted users and review user roles to minimize the number of users with such privileges. 2) Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the 'width' parameter in plugin requests. 3) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the browser context. 4) Monitor logs for unusual activity related to plugin parameters and user input. 5) Consider temporarily disabling or removing the plugin if it is not critical to operations. 6) Prepare to apply patches promptly once they become available from the vendor. 7) Educate site administrators and developers about secure coding practices, especially input sanitization and output escaping, to prevent similar vulnerabilities in custom plugins or themes.
Affected Countries
Germany, United Kingdom, France, Netherlands, Sweden, Italy, Spain, Poland
CVE-2025-5767: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in wpwham Crowdfunding for WooCommerce
Description
The Crowdfunding for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘width’ parameter in all versions up to, and including, 3.1.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI-Powered Analysis
Technical Analysis
CVE-2025-5767 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Crowdfunding for WooCommerce plugin developed by wpwham for WordPress. This vulnerability affects all versions up to and including 3.1.14. The root cause is improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of the 'width' parameter. An authenticated attacker with Contributor-level access or higher can exploit this flaw by injecting arbitrary malicious scripts into pages. These scripts are stored persistently and executed whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or redirection to malicious sites. The vulnerability has a CVSS 3.1 base score of 6.4, indicating a medium severity level. The attack vector is network-based, requires low attack complexity, and privileges at the Contributor level, but no user interaction is needed for exploitation. The scope is changed, meaning the vulnerability can affect resources beyond the initially compromised component, and the impact affects confidentiality and integrity but not availability. No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability is classified under CWE-79, which concerns improper input neutralization leading to XSS attacks.
Potential Impact
For European organizations using WordPress with the Crowdfunding for WooCommerce plugin, this vulnerability poses a significant risk to the confidentiality and integrity of user data and site content. Attackers with Contributor-level access could inject malicious scripts that execute in the context of other users' browsers, potentially stealing session cookies, credentials, or performing unauthorized actions on behalf of users with higher privileges. This could lead to data breaches, defacement of crowdfunding campaigns, or manipulation of fundraising information, undermining trust and causing reputational damage. Since crowdfunding platforms often handle sensitive financial transactions and donor information, the exploitation of this vulnerability could also have regulatory implications under GDPR if personal data is compromised. The lack of user interaction required for exploitation increases the risk of widespread impact once an attacker gains the necessary access. Although no known exploits are currently reported, the medium severity and ease of exploitation by authenticated users make timely mitigation critical to prevent potential attacks.
Mitigation Recommendations
European organizations should immediately audit their WordPress installations to identify if the Crowdfunding for WooCommerce plugin is in use and verify the version. Until an official patch is released, organizations should consider the following specific mitigations: 1) Restrict Contributor-level access strictly to trusted users and review user roles to minimize the number of users with such privileges. 2) Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the 'width' parameter in plugin requests. 3) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the browser context. 4) Monitor logs for unusual activity related to plugin parameters and user input. 5) Consider temporarily disabling or removing the plugin if it is not critical to operations. 6) Prepare to apply patches promptly once they become available from the vendor. 7) Educate site administrators and developers about secure coding practices, especially input sanitization and output escaping, to prevent similar vulnerabilities in custom plugins or themes.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-06-05T22:31:37.811Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6879dc20a83201eaacef69ed
Added to database: 7/18/2025, 5:31:12 AM
Last enriched: 7/18/2025, 5:48:14 AM
Last updated: 8/5/2025, 3:25:15 AM
Views: 8
Related Threats
CVE-2025-9097: Improper Export of Android Application Components in Euro Information CIC banque et compte en ligne App
MediumCVE-2025-9096: Cross Site Scripting in ExpressGateway express-gateway
MediumCVE-2025-9095: Cross Site Scripting in ExpressGateway express-gateway
MediumCVE-2025-7342: CWE-798 Use of Hard-coded Credentials in Kubernetes Image Builder
HighCVE-2025-9094: Improper Neutralization of Special Elements Used in a Template Engine in ThingsBoard
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.