CVE-2025-59565
BaseFortify
Publication date: 2025-09-22
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_swings | upsell_order_bump_offer_for_woocommerce | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-59565 is a Cross-Site Scripting (XSS) vulnerability in the WordPress Upsell Order Bump Offer for WooCommerce plugin versions up to 3.0.7. It allows attackers with contributor-level privileges to inject malicious scripts into web pages generated by the plugin. These scripts can execute when site visitors access the affected pages, potentially causing redirects, displaying unwanted advertisements, or executing other harmful HTML payloads. The vulnerability is classified under OWASP Top 10 category A3: Injection. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to inject malicious scripts that execute in the browsers of your website visitors. This can lead to unwanted redirects, display of malicious advertisements, or other harmful actions that compromise user experience and trust. Although the severity is considered low (CVSS score 6.5) and exploitation requires contributor-level access, attackers may automate exploitation attempts on unpatched sites. If exploited, it may require professional incident response and server-side malware scanning to remediate. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking the version of the Upsell Order Bump Offer for WooCommerce plugin installed on your WordPress site. If the version is 3.0.7 or lower, it is vulnerable. There are no specific network commands provided for detection. It is recommended to perform server-side malware scanning and professional incident response if compromise is suspected. You can also use Patchstack's virtual patching service which can auto-mitigate this vulnerability and may provide detection capabilities. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Upsell Order Bump Offer for WooCommerce plugin to version 3.0.8 or later, where the vulnerability is fixed. Alternatively, you can apply Patchstack's virtual patching (vPatching) to auto-mitigate the vulnerability before applying the official patch. Additionally, restrict contributor-level privileges to trusted users to reduce exploitation risk. [1]