CVE-2025-7496
BaseFortify
Publication date: 2025-08-19
Last updated on: 2025-08-19
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | wordpress | * |
| woocommerce | woo_smart_compare | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the WPC Smart Compare for WooCommerce WordPress plugin. It occurs because the plugin does not properly sanitize input or escape output in DOM elements, allowing authenticated users with Contributor-level access or higher to inject malicious scripts. These scripts then execute whenever any user views the affected page.
How can this vulnerability impact me? :
The vulnerability can allow attackers with Contributor-level access to inject arbitrary scripts into pages, which execute when other users visit those pages. This can lead to unauthorized actions, data theft, session hijacking, or defacement of the website, potentially compromising user data and site integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the Woo Smart Compare for WooCommerce plugin is installed and running a vulnerable version (up to and including 6.4.7). Since the vulnerability is a Stored Cross-Site Scripting (XSS) via DOM elements exploitable by authenticated users with Contributor-level access, detection can include: 1) Reviewing plugin version via WordPress admin or command line (e.g., wp-cli: `wp plugin list`), 2) Searching for suspicious injected scripts in pages generated by the plugin, 3) Monitoring HTTP traffic for unexpected script injections in plugin-related pages. Specific commands: - `wp plugin get woo-smart-compare --field=version` to check plugin version. - Use browser developer tools or automated scanners to inspect DOM elements on pages using the plugin for injected scripts. - Network traffic capture tools (e.g., `tcpdump`, `Wireshark`) can be used to monitor for suspicious script payloads in HTTP responses related to the plugin. However, no explicit detection commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Woo Smart Compare for WooCommerce plugin to version 6.4.8 or later, as this version includes a security fix that replaces unsafe `.html()` calls with safer `.text()` calls in the frontend JavaScript, preventing the XSS vulnerability. Ensuring that the plugin is updated to this fixed version will mitigate the vulnerability. Additionally, restricting Contributor-level access to trusted users can reduce risk until the update is applied. [1]