CVE-2025-59565
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-22

Last updated on: 2026-04-23

Assigner: Patchstack

Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Swings Upsell Order Bump Offer for WooCommerce upsell-order-bump-offer-for-woocommerce allows Stored XSS.This issue affects Upsell Order Bump Offer for WooCommerce: from n/a through <= 3.0.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-22
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2025-09-22
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59565
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wp_swings upsell_order_bump_offer_for_woocommerce *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-59565 is a Cross-Site Scripting (XSS) vulnerability in the WordPress Upsell Order Bump Offer for WooCommerce plugin versions up to 3.0.7. It allows attackers with contributor-level privileges to inject malicious scripts into web pages generated by the plugin. These scripts can execute when site visitors access the affected pages, potentially causing redirects, displaying unwanted advertisements, or executing other harmful HTML payloads. The vulnerability is classified under OWASP Top 10 category A3: Injection. [1]

Impact Analysis

This vulnerability can impact you by allowing attackers to inject malicious scripts that execute in the browsers of your website visitors. This can lead to unwanted redirects, display of malicious advertisements, or other harmful actions that compromise user experience and trust. Although the severity is considered low (CVSS score 6.5) and exploitation requires contributor-level access, attackers may automate exploitation attempts on unpatched sites. If exploited, it may require professional incident response and server-side malware scanning to remediate. [1]

Detection Guidance

Detection of this vulnerability involves checking the version of the Upsell Order Bump Offer for WooCommerce plugin installed on your WordPress site. If the version is 3.0.7 or lower, it is vulnerable. There are no specific network commands provided for detection. It is recommended to perform server-side malware scanning and professional incident response if compromise is suspected. You can also use Patchstack's virtual patching service which can auto-mitigate this vulnerability and may provide detection capabilities. [1]

Mitigation Strategies

The immediate mitigation step is to update the Upsell Order Bump Offer for WooCommerce plugin to version 3.0.8 or later, where the vulnerability is fixed. Alternatively, you can apply Patchstack's virtual patching (vPatching) to auto-mitigate the vulnerability before applying the official patch. Additionally, restrict contributor-level privileges to trusted users to reduce exploitation risk. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59565. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart