CVE-2025-58917

The Quantities and Units for WooCommerce plugin for WordPress versions 1.0.13 and earlier contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of input during web page generation. This flaw allows an attacker to inject arbitrary web scripts into pages that will be executed whenever a user accesses the affected page [1].

Exploitation requires at least a privileged user role (e.g., Shop Manager) to perform an action, such as submitting a form or clicking a crafted link. The injected script is stored on the server, meaning the attack does not require user interaction by the victim beyond visiting the page where the payload resides. The vulnerability is classified with a CVSS v3 score of 6.5, reflecting medium severity [1].

The impact includes the ability for an attacker to inject malicious scripts, which could be used to redirect visitors to phishing sites, display unauthorized advertisements, or alter page content. Such stored XSS attacks can compromise the integrity of the website and may lead to further exploitation of site visitors [1].

Users are strongly advised to update the plugin to a patched version as soon as possible. If an immediate update is not possible, consulting a hosting provider or web developer for additional security measures is recommended. The vulnerability is actively used in mass-exploit campaigns, underscoring the need for prompt action [1].