CVE-2025-68041
BaseFortify
Publication date: 2026-01-22
Last updated on: 2026-01-28
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| codisto | omnichannel_for_woocommerce | From 1.3.0 (inc) to 1.3.65 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the codisto Omnichannel for WooCommerce plugin (versions up to 1.3.65). It allows attackers to inject malicious scripts, such as redirects or advertisements, that execute when site visitors access compromised pages. The attack can be initiated by an unauthenticated user but requires user interaction by a privileged user to execute. [1]
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to malicious scripts running in the context of the affected website, potentially redirecting users, displaying unwanted advertisements, or executing other harmful HTML payloads. This can compromise user trust, lead to data theft, or facilitate further attacks. The vulnerability is considered medium severity with a CVSS score of 7.1 and is expected to be actively exploited if unmitigated. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves monitoring for suspicious input or script injections in web pages generated by the Omnichannel for WooCommerce plugin up to version 1.3.65. Since this is a Stored XSS vulnerability, look for unexpected HTML or JavaScript code in user-generated content or input fields. Specific commands are not provided in the resources, but you can use web vulnerability scanners or manual inspection tools to identify injected scripts. Additionally, monitoring HTTP requests and responses for suspicious payloads targeting the plugin may help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the Patchstack mitigation rule provided to block attacks targeting this vulnerability until an official patch is released. Users should implement this mitigation immediately to protect their websites. Avoid allowing privileged users to interact with untrusted inputs, and monitor for suspicious activity. Since no official patch is available as of January 15, 2026, applying the mitigation rule is the recommended immediate action. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this Cross-site Scripting (XSS) vulnerability in the Omnichannel for WooCommerce plugin affects compliance with standards such as GDPR or HIPAA.