CVE-2025-68011
BaseFortify
Publication date: 2026-01-22
Last updated on: 2026-01-28
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gls | gls_shipping_for_woocommerce | to 1.4.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2025-68011 is a medium severity Reflected Cross Site Scripting (XSS) vulnerability in the GLS Shipping for WooCommerce plugin (versions up to 1.4.0). It allows an attacker to inject malicious scripts, such as redirects or advertisements, into a website. These scripts execute when visitors access the compromised site, potentially causing unauthorized actions or data exposure. Exploitation requires user interaction, like clicking a malicious link or submitting a crafted form. [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized actions on your website or exposure of sensitive data by executing malicious scripts in the context of your site. It may result in redirecting users to malicious sites, displaying unwanted advertisements, or stealing user information. Since exploitation requires user interaction, attackers might trick users into clicking malicious links or submitting harmful forms, compromising your site's security and user trust. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for attempts to inject malicious scripts via the GLS Shipping for WooCommerce plugin, such as suspicious URL parameters or form submissions containing script tags or encoded payloads. Since no official patch or detection tool is provided, you can use web application firewall (WAF) logs or intrusion detection systems (IDS) to look for reflected XSS attack patterns targeting the plugin. Specific commands are not provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the Patchstack mitigation rule designed to block attacks exploiting this vulnerability until an official fix is released. Additionally, restrict user privileges to minimize exposure, monitor for suspicious activity, and avoid clicking on untrusted links or submitting untrusted forms related to the plugin. Since no official patch is available yet, applying the mitigation rule from Patchstack is the recommended action. [1]