CVE-2025-48240

Vulnerability

Description

The WPFactory Cost of Goods for WooCommerce plugin (versions up to and including 3.7.0) contains a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This allows an authenticated attacker with sufficient privileges to inject arbitrary JavaScript or HTML into the application's output, which is then stored and executed in the browsers of other users visiting the affected page [1].

Exploitation

Prerequisites and Method

Exploitation requires a user with at least contributor-level or higher access, as the vulnerable plugin's input fields are only exposed to authenticated users with the appropriate roles [1]. The attacker injects malicious script through an input field that is not properly sanitized; when an administrator or other user loads the page containing the stored payload, the script executes in their browser session [1]. Although user interaction (such as clicking a link or visiting a crafted page) is needed to trigger the stored script, the attacker's initial injection does not require victim interaction beyond normal administrative workflows [1].

Impact

Successful exploitation could allow an attacker to perform actions such as redirecting visitors to malicious sites, displaying unauthorized advertisements, or stealing session cookies and other sensitive data [1]. Since the script executes in the context of the current user, it could lead to privilege escalation if an administrator views the compromised page [1].

Mitigation and

Remediation

The vendor has released version 3.7.1 which resolves the vulnerability by properly sanitizing user input [1]. Users are strongly advised to update to version 3.7.1 or later. For Patchstack users, enabling auto-updates for vulnerable plugins is an effective defensive measure [1]. As an immediate precaution, restricting access to plugin settings to trusted administrators only can reduce the attack surface until the update is applied [1].