CVE-2025-24668

Vulnerability

The PPOM for WooCommerce plugin (woocommerce-product-addon) versions up to and including 33.0.8 contain a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. The vulnerability exists in the handling of custom product addon fields, where an attacker can inject arbitrary JavaScript code that gets stored and executed when other users view the affected product pages. [1]

Exploitation

An attacker with the ability to create or edit product addon fields (typically a shop manager or administrator role) can inject malicious script payloads into input fields such as text inputs, textareas, or other custom field types. The injected script is stored in the database and executed in the browsers of any user who visits the product page containing the malicious addon. No user interaction beyond viewing the page is required for the XSS to trigger.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The attack is stored, meaning it affects all subsequent visitors to the compromised product page, potentially including customers and administrators.

Mitigation

The vulnerability is fixed in version 34.0.1 of the plugin, released on 2026-05-21. Users are strongly advised to update to this version or later. No workarounds are documented in the available references. [1]