CVE-2025-62096

Root

Cause The vulnerability is a Stored Cross-Site Scripting (XSS) issue in the WPFactory Maximum Products per User for WooCommerce plugin, affecting versions from n/a through 4.4.3. The root cause is improper neutralization of user input during web page generation, allowing an attacker to store malicious scripts in the plugin's data [1].

Exploitation

Exploitation requires a privileged user (e.g., administrator) to perform an action such as clicking a malicious link or visiting a crafted page. While the vulnerability can be initiated by an authenticated attacker with lower privileges, successful execution depends on a higher-privileged user interacting with the injected content [1].

Impact

A successful exploit allows an attacker to inject arbitrary scripts into the website. These scripts can execute when other users (including administrators or visitors) access the affected page, potentially leading to actions such as redirects, display of advertisements, or other HTML payloads [1].

Mitigation

The vendor has released version 4.4.4 which addresses the vulnerability. Users are advised to update immediately. For those unable to update, auto-update features (e.g., Patchstack's) or assistance from a hosting provider or web developer is recommended [1].