CVE-2025-69386
Reflected XSS in RVCFDI para Woocommerce
Publication date: 2026-02-20
Last updated on: 2026-02-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| realvirtualmx | rvcfdi_para_woocommerce | to 8.1.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2025-69386 is a medium priority Cross Site Scripting (XSS) vulnerability affecting the WordPress plugin "RVCFDI para Woocommerce" versions up to and including 8.1.8.'}, {'type': 'paragraph', 'content': 'This vulnerability allows an attacker to inject malicious scriptsβsuch as redirects, advertisements, or other HTML payloadsβinto a website, which execute when visitors access the site.'}, {'type': 'paragraph', 'content': 'Exploitation requires user interaction by a privileged user performing actions like clicking a malicious link, visiting a crafted page, or submitting a form.'}, {'type': 'paragraph', 'content': 'The vulnerability is classified under OWASP Top 10 category A3: Injection.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'An attacker exploiting this vulnerability can inject malicious scripts into your website, which may execute unwanted actions such as redirecting users, displaying unauthorized advertisements, or executing other harmful HTML payloads.'}, {'type': 'paragraph', 'content': "This can lead to compromised user experience, potential theft of user data, session hijacking, or damage to your website's reputation."}, {'type': 'paragraph', 'content': 'Exploitation requires a privileged user to interact with malicious content, but the attacker does not need to be authenticated.'}, {'type': 'paragraph', 'content': 'No official patch is currently available, but mitigation rules exist to block attacks until a patch is released.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
There is no official patch currently available for this vulnerability.
Patchstack has issued a mitigation rule to block attacks until an official patch is released and can be safely applied.
It is recommended to apply this mitigation rule immediately to protect affected websites.