CVE-2025-67544

The Shopkeeper Extender plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability caused by improper neutralization of input during web page generation [1]. This issue affects versions from n/a through before 7.0 [1].

Exploitation

An attacker with a privileged role—such as an editor or administrator—can inject arbitrary scripts into the plugin's input fields [1]. Successful exploitation requires a privileged user to perform an action, such as clicking a crafted link or submitting a form, thereby storing the payload in the database [1].

Impact

When a victim visits a page containing the stored payload, the malicious script executes in their browser [1]. This could allow redirection to malicious sites, injection of advertisements, theft of session cookies, or defacement of the website [1]. The plugin's wide adoption means this vulnerability could be used in mass-exploit campaigns targeting thousands of websites [1].

Mitigation

The vendor has released version 7.0 which fixes the issue [1]. Users are advised to update immediately or enable auto-update via Patchstack [1]. If unable to update, contact a hosting provider or web developer for assistance [1].