CVE-2025-68041
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-22

Last updated on: 2026-01-28

Assigner: Patchstack

Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codisto Omnichannel for WooCommerce codistoconnect allows Stored XSS.This issue affects Omnichannel for WooCommerce: from n/a through <= 1.3.65.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-22
Last Modified
2026-01-28
Generated
2026-06-16
AI Q&A
2026-01-22
EPSS Evaluated
2026-06-14
NVD
CVE-2025-68041
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
codisto omnichannel_for_woocommerce From 1.3.0 (inc) to 1.3.65 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the codisto Omnichannel for WooCommerce plugin (versions up to 1.3.65). It allows attackers to inject malicious scripts, such as redirects or advertisements, that execute when site visitors access compromised pages. The attack can be initiated by an unauthenticated user but requires user interaction by a privileged user to execute. [1]

Impact Analysis

Exploitation of this vulnerability can lead to malicious scripts running in the context of the affected website, potentially redirecting users, displaying unwanted advertisements, or executing other harmful HTML payloads. This can compromise user trust, lead to data theft, or facilitate further attacks. The vulnerability is considered medium severity with a CVSS score of 7.1 and is expected to be actively exploited if unmitigated. [1]

Detection Guidance

Detection involves monitoring for suspicious input or script injections in web pages generated by the Omnichannel for WooCommerce plugin up to version 1.3.65. Since this is a Stored XSS vulnerability, look for unexpected HTML or JavaScript code in user-generated content or input fields. Specific commands are not provided in the resources, but you can use web vulnerability scanners or manual inspection tools to identify injected scripts. Additionally, monitoring HTTP requests and responses for suspicious payloads targeting the plugin may help detect exploitation attempts. [1]

Mitigation Strategies

Immediate mitigation steps include applying the Patchstack mitigation rule provided to block attacks targeting this vulnerability until an official patch is released. Users should implement this mitigation immediately to protect their websites. Avoid allowing privileged users to interact with untrusted inputs, and monitor for suspicious activity. Since no official patch is available as of January 15, 2026, applying the mitigation rule is the recommended immediate action. [1]

Compliance Impact

The provided resources do not specify how this Cross-site Scripting (XSS) vulnerability in the Omnichannel for WooCommerce plugin affects compliance with standards such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68041. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart