CVE-2025-6255
Description
The Dynamic AJAX Product Filters for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘className’ parameter in all versions up to, and including, 1.3.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Dynamic AJAX Product Filters plugin via unsanitized 'className' parameter, affecting versions ≤1.3.7.
The Dynamic AJAX Product Filters for WooCommerce plugin suffers from a stored cross-site scripting (XSS) vulnerability due to insufficient input sanitization and output escaping on the 'className' parameter. This allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts via the plugin's filter settings [1].
Attackers can exploit this by crafting a malicious 'className' value that, when saved, will execute in the context of any user viewing pages containing the injected filter. No special network access or additional authentication is needed beyond the contributor-level account.
Successful exploitation enables an attacker to execute arbitrary JavaScript in the browsers of other users, including administrators. This can lead to session hijacking, defacement, or further privilege escalation within the WordPress site.
The vulnerability is present in all versions up to and including 1.3.7. Users are advised to update to version 1.3.8 or later, which contains the necessary sanitization fixes [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=1.3.7
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- plugins.trac.wordpress.org/browser/dynamic-ajax-product-filters-for-woocommerce/tags/1.1.7/includes/blocks_widget_create.phpnvd
- plugins.trac.wordpress.org/changeset/3350071/nvd
- wordpress.org/plugins/dynamic-ajax-product-filters-for-woocommerce/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/50bfbde2-2ccc-483a-95f5-a2ad284fda23nvd
News mentions
0No linked articles in our index yet.