Medium severity6.5NVD Advisory· Published Feb 25, 2025· Updated Apr 23, 2026

CVE-2025-26878

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in patternsinthecloud Autoship Cloud for WooCommerce Subscription Products autoship-cloud allows DOM-Based XSS.This issue affects Autoship Cloud for WooCommerce Subscription Products: from n/a through <= 2.8.0.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

DOM-based XSS in Autoship Cloud for WooCommerce Subscription Products plugin (≤2.8.0.1) allows attackers to inject malicious scripts via improper input neutralization.

Vulnerability

Description The Autoship Cloud for WooCommerce Subscription Products plugin for WordPress, up to version 2.8.0.1, contains a DOM-based Cross-Site Scripting (XSS) vulnerability. Improper neutralization of user-supplied input during web page generation enables attackers to inject arbitrary JavaScript or HTML into the application's DOM [1].

Exploitation

Details Exploitation requires user interaction, such as clicking a malicious link or visiting a crafted page [1]. An attacker with no special privileges (lower than required for typical admin actions) can trigger the vulnerability, though interaction from a privileged user is needed for successful execution [1]. The attack does not require authentication, making it accessible over the network.

Impact

Successful exploitation could allow an attacker to inject malicious scripts (e.g., redirects, advertisements, or other HTML payloads) that execute when visitors access the affected site [1]. This can lead to defacement, data theft, or further attacks against site users.

Mitigation

The vulnerability is fixed in version 2.8.1 [1]. Users are strongly advised to update the plugin immediately. For those unable to update, consulting a hosting provider or web developer is recommended [1]. Patchstack users can enable auto-updates for the plugin [1].

References

Cross Site Scripting (XSS) in WordPress Autoship Cloud for WooCommerce Subscription Products Plugin

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/Autoship Cloudinferred2 versions
<=2.8.0.1+ 1 more
- (no CPE)range: <=2.8.0.1
- (no CPE)range: <=2.8.0.1
Package: https://wordpress.org/plugins/autoship-cloud

Patches

v2.8.1

Release: autoship-cloud 2.8.1 (next version after vulnerable 2.8.0.1)

https://plugins.svn.wordpress.org/autoship-cloud/Fixed in 2.8.1via wp-release-tag

commit

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

patchstack.com/database/Wordpress/Plugin/autoship-cloud/vulnerability/wordpress-autoship-cloud-for-woocommerce-subscription-products-plugin-2-8-0-1-cross-site-scripting-xss-vulnerabilitynvd

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000