The Experto Dashboard for WooCommerce plugin for WordPress suffers from a stored cross-site scripting vulnerability (CWE-79) due to lack of input sanitization and output escaping in settings fields such as font size and weight options. This allows authenticated administrators to inject malicious scripts that execute on the settings page load. The issue affects all versions up to 1.0.4 and specifically impacts multi-site installations or those with unfiltered_html disabled. The vulnerability has a CVSS 3.1 base score of 4.4 (medium severity) with network attack vector, high attack complexity, and requires high privileges without user interaction. No patch or official fix has been published as of the data provided.

An authenticated user with Administrator-level privileges can inject and store malicious scripts in plugin settings fields. These scripts execute in the context of the WordPress admin settings page when accessed by any user with access, potentially leading to session hijacking, privilege escalation, or other attacks limited to the admin interface. The impact is limited to environments where multi-site is enabled or unfiltered_html is disabled, reducing the attack surface. There is no indication of impact on confidentiality beyond limited data accessible via the admin interface. No known active exploitation has been reported.

No official patch or remediation is currently available for this vulnerability. Administrators should restrict access to the plugin settings page to trusted users only and consider disabling or limiting use of the affected plugin until a fix is released. Monitoring for plugin updates from the vendor or WordPress repository is recommended to apply any future patches promptly. Since the vulnerability requires administrator privileges and specific WordPress configurations, limiting administrative accounts and reviewing user permissions can reduce risk.