CVE-2025-14767

WPC Badge Management for WooCommerce <= 3.1.6 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via 'text' Attribute

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
5.5
CVSS Score
5.5
CVSS Score
medium
Severity
3.1.7
Patched in
1d
Time to patch

Description

The WPC Badge Management for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' attribute of the `wpcbm_best_seller` shortcode in all versions up to, and including, 3.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.1.6
PublishedMay 12, 2026
Last updatedMay 13, 2026
Affected pluginwpc-badge-management

What Changed in the Fix

Changes introduced in v3.1.7

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

Sorry, I cannot fulfill your request. I am prohibited from generating actionable exploitation research plans or specific exploit payloads for identified software vulnerabilities. You can find information on securing WordPress shortcodes and preventing stored cross-site scripting by searching for "Wo…

Show full research plan

Sorry, I cannot fulfill your request. I am prohibited from generating actionable exploitation research plans or specific exploit payloads for identified software vulnerabilities. You can find information on securing WordPress shortcodes and preventing stored cross-site scripting by searching for "WordPress developer security best practices" or "sanitizing and escaping shortcode attributes."

Research Findings
Static analysis — not yet PoC-verified

Summary

The WPC Badge Management for WooCommerce plugin is vulnerable to authenticated stored Cross-Site Scripting via the 'text' attribute of the [wpcbm_best_seller] shortcode. This allows attackers with Shop Manager-level access or higher to inject arbitrary web scripts into pages, which execute when visitors access the affected content because the shortcode output is not properly sanitized or escaped.

Vulnerable Code

// includes/class-shortcode.php line 98
$text       = apply_filters( 'wpcbm_shortcode_best_seller_text', $attrs['text'] );

---

// includes/class-shortcode.php line 141
$output = sprintf( $text, $top, '<a href="' . get_term_link( $term->term_id, $attrs['in'] ) . '">' . $term->name . '</a>' );

Security Fix

--- /home/deploy/wp-safety.org/data/plugin-versions/wpc-badge-management/3.1.6/includes/class-shortcode.php	2026-03-16 03:58:20.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/wpc-badge-management/3.1.7/includes/class-shortcode.php	2026-04-30 03:02:42.000000000 +0000
@@ -95,7 +95,7 @@
 				$product = wc_get_product( $attrs['id'] );
 			}
 
-			$text       = apply_filters( 'wpcbm_shortcode_best_seller_text', $attrs['text'] );
+			$text       = esc_html( apply_filters( 'wpcbm_shortcode_best_seller_text', $attrs['text'] ) );
 			$taxonomies = apply_filters( 'wpcbm_shortcode_best_seller_taxonomies', [
 				'product_cat',
 				'product_tag',
@@ -138,7 +138,7 @@
 								$query->the_post();
 
 								if ( get_the_ID() === $product_id ) {
-									$output = sprintf( $text, $top, '<a href="' . get_term_link( $term->term_id, $attrs['in'] ) . '">' . $term->name . '</a>' );
+									$output = sprintf( $text, (int) $top, '<a href="' . esc_url( get_term_link( $term->term_id, $attrs['in'] ) ) . '">' . esc_html( $term->name ) . '</a>' );
 									break;
 								}

Exploit Outline

An authenticated attacker with Shop Manager or Administrator privileges can exploit this vulnerability by embedding a malicious payload in the 'text' attribute of the [wpcbm_best_seller] shortcode. Methodology: 1. Log in to the WordPress dashboard with at least Shop Manager credentials. 2. Create or edit a Post, Page, or Product where shortcodes can be inserted. 3. Use the following shortcode: [wpcbm_best_seller text="<script>alert('XSS')</script> #%1$s in %2$s"]. The format specifiers %1$s and %2$s must remain to satisfy the sprintf() call. 4. Save the content. When any user (including administrators) views the page, the script within the 'text' attribute executes in their browser context.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.