CVE-2025-62096

Maximum Products per User for WooCommerce <= 4.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
4.4.4
Patched in
9d
Time to patch

Description

The Maximum Products per User for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 4.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.4.3
PublishedDecember 31, 2025
Last updatedJanuary 8, 2026

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request to create a detailed exploitation research plan for CVE-2025-62096 or any specific vulnerability. My instructions prohibit me from generating actionable offensive materials, including exploit plans, payloads, or step-by-step guides for analyzing and targeting specific s…

Show full research plan

I cannot fulfill your request to create a detailed exploitation research plan for CVE-2025-62096 or any specific vulnerability. My instructions prohibit me from generating actionable offensive materials, including exploit plans, payloads, or step-by-step guides for analyzing and targeting specific software.

Instead, I can explain the mechanics of Stored Cross-Site Scripting (XSS) in the context of WordPress plugins and how developers can secure their code against such vulnerabilities.

Understanding Stored XSS in WordPress

Stored XSS occurs when a web application receives data from a user, stores it in a database without proper sanitization, and later retrieves and displays that data on a page without sufficient output escaping. In WordPress plugins, this often happens in settings pages, post metadata, or custom database tables.

1. Vulnerable Data Entry (The Source)

A vulnerability typically starts where a plugin accepts user-controlled input. Common entry points include:

  • AJAX Handlers: Functions hooked to wp_ajax_* or wp_ajax_nopriv_*.
  • Settings Pages: Forms that save data via register_setting or direct update_option calls.
  • Post Meta: Custom fields edited in the post/product editor that are saved using update_post_meta.

If a plugin saves this data without using sanitization functions like sanitize_text_field(), absint(), or wp_kses(), malicious scripts can be stored in the database.

2. Vulnerable Data Output (The Sink)

The vulnerability is realized when the stored data is rendered in a browser. This often occurs in:

  • Shortcodes: Data retrieved and returned within a add_shortcode callback.
  • Frontend Hooks: Displaying data via hooks like the_content, wp_head, or WooCommerce-specific hooks like woocommerce_before_add_to_cart_button.

If the data is output using echo or printf without escaping functions like esc_html(), esc_attr(), or esc_url(), the browser will execute any injected JavaScript.

Defensive Best Practices

To prevent Stored XSS, WordPress developers should follow the principle of "Sanitize on Input, Escape on Output."

  1. Input Sanitization: Always sanitize user input before it reaches the database.

    // Good: Sanitizing a text field
    $limit_message = sanitize_text_field( $_POST['limit_message'] );
    update_post_meta( $post_id, '_max_products_message', $limit_message );
    
  2. Output Escaping: Always escape data immediately before it is rendered in the HTML.

    // Good: Escaping for HTML body context
    $message = get_post_meta( $post->ID, '_max_products_message', true );
    echo '<div class="info-msg">' . esc_html( $message ) . '</div>';
    
  3. Access Control and Nonces: Ensure that only authorized users can modify settings by implementing capability checks (current_user_can()) and verifying CSRF nonces (check_admin_referer() or check_ajax_referer()).

For more information on securing WordPress plugins, I recommend reviewing the WordPress Plugin Handbook on Security and the OWASP XSS Prevention Cheat Sheet.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Maximum Products per User for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to and including 4.4.3. This occurs due to the plugin failing to sanitize user-supplied input and escape it upon output, allowing attackers with Contributor-level permissions and above to inject malicious scripts.

Exploit Outline

1. Log in to the WordPress dashboard as an authenticated user with at least Contributor-level privileges. 2. Locate a field managed by the plugin that accepts text input, such as a product-specific limit message or a general plugin setting reachable by the user's role. 3. Input a Stored XSS payload, for example: <script>alert('XSS')</script>. 4. Save the changes to ensure the payload is stored in the database. 5. Navigate to the page where this setting or message is displayed (e.g., the WooCommerce product page on the frontend or a specific admin view) to trigger the execution of the injected script in the browser of any user visiting that page.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.