CVE-2025-59565

The Upsell Order Bump Offer for WooCommerce plugin for WordPress versions up to and including 3.0.7 contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw allows attackers to inject arbitrary web scripts or HTML into pages that will be executed when other users access the affected site.

Exploitation requires a privileged user to perform an action, such as clicking a malicious link or visiting a crafted page, but the injected script persists and can affect any visitor [1]. The vulnerability can be initiated by an authenticated user with the required privilege level, and user interaction is needed for the initial injection.

Successful exploitation could allow an attacker to inject malicious scripts, including redirects, advertisements, or other HTML payloads, which execute when guests visit the site [1]. This can lead to defacement, data theft, or further compromise of the WordPress installation.

The vulnerability has been addressed in version 3.0.8 of the plugin [1]. Users are strongly advised to update to this version or enable auto-updates for vulnerable plugins. The issue is considered low severity and unlikely to be exploited, but immediate action is recommended to prevent potential mass-exploit campaigns [1].