The WPC Smart Messages for WooCommerce plugin suffers from a stored cross-site scripting vulnerability identified as CVE-2026-6725. This vulnerability arises from improper neutralization of input in the 'text' attribute of the wpcsm_text_rotator shortcode, allowing authenticated users with contributor-level privileges or higher to inject arbitrary web scripts. These scripts are stored and executed when any user accesses the affected page, potentially leading to session hijacking or other script-based attacks. The vulnerability is present in all versions up to 4.2.8. The CVSS 3.1 base score is 6.4, reflecting a network attack vector, low attack complexity, and required privileges at the contributor level, with no user interaction needed. The impact includes limited confidentiality and integrity loss but no availability impact. No vendor patch or official remediation has been published yet.

An authenticated attacker with contributor-level access or higher can exploit this vulnerability to inject and store malicious scripts in the plugin's shortcode attribute. These scripts execute in the context of users visiting the affected pages, potentially allowing theft of session tokens, defacement, or other malicious actions impacting confidentiality and integrity. There is no direct impact on system availability. The vulnerability is rated medium severity with a CVSS score of 6.4. No known exploits have been reported in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, limit contributor-level access to trusted users only. Consider disabling or removing the WPC Smart Messages for WooCommerce plugin if feasible. Monitor for updates from the vendor and apply patches promptly once available.