Skip to main content

CVE-2025-5767: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in wpwham Crowdfunding for WooCommerce

Medium
VulnerabilityCVE-2025-5767cvecve-2025-5767cwe-79
Published: Fri Jul 18 2025 (07/18/2025, 05:23:59 UTC)
Source: CVE Database V5
Vendor/Project: wpwham
Product: Crowdfunding for WooCommerce

Description

The Crowdfunding for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘width’ parameter in all versions up to, and including, 3.1.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AI-Powered Analysis

AILast updated: 07/18/2025, 05:48:14 UTC

Technical Analysis

CVE-2025-5767 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Crowdfunding for WooCommerce plugin developed by wpwham for WordPress. This vulnerability affects all versions up to and including 3.1.14. The root cause is improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of the 'width' parameter. An authenticated attacker with Contributor-level access or higher can exploit this flaw by injecting arbitrary malicious scripts into pages. These scripts are stored persistently and executed whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or redirection to malicious sites. The vulnerability has a CVSS 3.1 base score of 6.4, indicating a medium severity level. The attack vector is network-based, requires low attack complexity, and privileges at the Contributor level, but no user interaction is needed for exploitation. The scope is changed, meaning the vulnerability can affect resources beyond the initially compromised component, and the impact affects confidentiality and integrity but not availability. No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability is classified under CWE-79, which concerns improper input neutralization leading to XSS attacks.

Potential Impact

For European organizations using WordPress with the Crowdfunding for WooCommerce plugin, this vulnerability poses a significant risk to the confidentiality and integrity of user data and site content. Attackers with Contributor-level access could inject malicious scripts that execute in the context of other users' browsers, potentially stealing session cookies, credentials, or performing unauthorized actions on behalf of users with higher privileges. This could lead to data breaches, defacement of crowdfunding campaigns, or manipulation of fundraising information, undermining trust and causing reputational damage. Since crowdfunding platforms often handle sensitive financial transactions and donor information, the exploitation of this vulnerability could also have regulatory implications under GDPR if personal data is compromised. The lack of user interaction required for exploitation increases the risk of widespread impact once an attacker gains the necessary access. Although no known exploits are currently reported, the medium severity and ease of exploitation by authenticated users make timely mitigation critical to prevent potential attacks.

Mitigation Recommendations

European organizations should immediately audit their WordPress installations to identify if the Crowdfunding for WooCommerce plugin is in use and verify the version. Until an official patch is released, organizations should consider the following specific mitigations: 1) Restrict Contributor-level access strictly to trusted users and review user roles to minimize the number of users with such privileges. 2) Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the 'width' parameter in plugin requests. 3) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the browser context. 4) Monitor logs for unusual activity related to plugin parameters and user input. 5) Consider temporarily disabling or removing the plugin if it is not critical to operations. 6) Prepare to apply patches promptly once they become available from the vendor. 7) Educate site administrators and developers about secure coding practices, especially input sanitization and output escaping, to prevent similar vulnerabilities in custom plugins or themes.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Wordfence
Date Reserved
2025-06-05T22:31:37.811Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 6879dc20a83201eaacef69ed

Added to database: 7/18/2025, 5:31:12 AM

Last enriched: 7/18/2025, 5:48:14 AM

Last updated: 8/5/2025, 3:25:15 AM

Views: 8

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats