CVE-2025-14626
Stored XSS in WooCommerce QR Code Plugin Allows Script Injection
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| goaskle | qr_code_for_woocommerce_order_emails_pdf_invoices_packing_slips | to 1.9.42 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the QR Code for WooCommerce order emails, PDF invoices, packing slips plugin for WordPress. It occurs due to insufficient input sanitization and output escaping on user-supplied attributes in the plugin's shortcode. Authenticated attackers with contributor-level access or higher can inject arbitrary web scripts that execute whenever a user accesses the injected page.
How can this vulnerability impact me? :
The vulnerability allows attackers with contributor-level access or above to inject malicious scripts into pages viewed by other users. This can lead to unauthorized actions, data theft, or session hijacking for users who access the affected pages, potentially compromising the security and integrity of the website and its users.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the vulnerable plugin 'QR Code for WooCommerce order emails, PDF invoices, packing slips' version 1.9.42 or earlier installed on your WordPress site. Additionally, you can search for usage of the shortcode [qrcodetag_from_goaskle_com] in posts, pages, or plugin settings, as it is the vector for the stored XSS. Since the vulnerability involves stored cross-site scripting via shortcode attributes, monitoring HTTP requests and responses for suspicious script injections in pages that render this shortcode may help detect exploitation attempts. Specific commands to detect the plugin version include using WP-CLI: `wp plugin list --format=json` to list installed plugins and their versions. You can also grep the WordPress files for the shortcode usage: `grep -r '\[qrcodetag_from_goaskle_com' ./wp-content/` to find where the shortcode is used. Network detection of exploitation attempts may involve inspecting HTTP traffic for injected scripts in pages serving the shortcode. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Updating the 'QR Code for WooCommerce order emails, PDF invoices, packing slips' plugin to a version later than 1.9.42 where the vulnerability is fixed. 2) If an update is not immediately available, restrict contributor-level and above users from adding or editing content that uses the vulnerable shortcode or sanitize inputs manually. 3) Disable or remove the shortcode [qrcodetag_from_goaskle_com] usage temporarily to prevent script injection. 4) Review user roles and permissions to limit authenticated users who can inject scripts. 5) Monitor and clean any injected scripts from affected pages. These steps help prevent exploitation of the stored XSS vulnerability caused by insufficient input sanitization and output escaping. [1]