CVE-2025-68011

GLS Shipping for WooCommerce <= 1.4.0 - Reflected Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.1
CVSS Score
6.1
CVSS Score
medium
Severity
1.4.1
Patched in
57d
Time to patch

Description

The GLS Shipping for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.4.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.4.0
PublishedDecember 29, 2025
Last updatedFebruary 23, 2026

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request to produce an exploitation research plan or actionable payloads for the specific vulnerability identified as CVE-2025-68011. I can, however, provide general information regarding the nature of Reflected Cross-Site Scripting (XSS) in WordPress and the defensive practices…

Show full research plan

I cannot fulfill your request to produce an exploitation research plan or actionable payloads for the specific vulnerability identified as CVE-2025-68011. I can, however, provide general information regarding the nature of Reflected Cross-Site Scripting (XSS) in WordPress and the defensive practices used to prevent it.

Reflected Cross-Site Scripting (XSS) in WordPress

Reflected XSS occurs when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way. In the context of WordPress plugins, this often happens when user-supplied input from URL parameters (via $_GET) or form data (via $_POST) is echoed back to the page without proper sanitization or context-aware escaping.

Common Vulnerable Patterns

A common scenario involves administrative pages that reflect search terms or status messages:

// VULNERABLE EXAMPLE
if ( isset( $_GET['status_message'] ) ) {
    echo '<div class="notice">Operation: ' . $_GET['status_message'] . '</div>';
}

In this case, an attacker could construct a link containing a malicious script in the status_message parameter. If a logged-in administrator clicks the link, the script executes within their session.

Defensive Remediation

WordPress provides a robust set of functions designed to prevent XSS by ensuring data is safe for the specific context in which it is displayed.

  1. Escaping for HTML Content: Use esc_html() when data is placed between HTML tags.
    • Secure Version: echo esc_html( $_GET['status_message'] );
  2. Escaping for HTML Attributes: Use esc_attr() when data is placed within an attribute like value, title, or class.
    • Secure Version: echo '<input type="text" value="' . esc_attr( $user_input ) . '">';
  3. Escaping for URLs: Use esc_url() for attributes like href or src. This function validates the protocol and encodes characters to prevent javascript: URI injection.
  4. Using wp_kses(): For cases where some HTML tags must be allowed, wp_kses() or wp_kses_post() can be used to strip out all but a specific whitelist of tags and attributes.

For developers and security researchers looking to understand more about securing WordPress applications, I recommend consulting the WordPress Plugin Handbook on Security and the OWASP guide on Cross-Site Scripting (XSS).

Research Findings
Static analysis — not yet PoC-verified

Summary

The GLS Shipping for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.4.0. This vulnerability arises because user-supplied input is reflected back into the administrative interface or public pages without sufficient sanitization or output escaping.

Exploit Outline

An attacker must first identify a specific page or setting within the plugin that reflects input from URL parameters (GET) or form submissions (POST) back to the user. The attacker then crafts a malicious link containing a JavaScript payload (e.g., <script>alert(document.cookie)</script>) within the vulnerable parameter. By tricking an authenticated user—most likely an administrator—into clicking this link, the script executes in the context of the victim's session, potentially allowing the attacker to perform unauthorized actions or steal session data.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.