CVE-2025-9115

Vulnerability

Overview The Etsy Shop WordPress plugin versions prior to 3.0.7 contain a Reflected Cross-Site Scripting (XSS) vulnerability. The plugin fails to escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an HTML attribute. This lack of sanitization allows an attacker to inject arbitrary JavaScript code via a crafted URI [1].

Exploitation

Conditions An attacker can exploit this by tricking a user into clicking a malicious link that contains the payload in the request URI. The vulnerability is specifically noted to affect older web browsers, which may not properly handle certain encoding or security mechanisms. No authentication is required for the attack, as the reflected input is processed on the server side and returned to the victim's browser [1].

Impact

Successful exploitation leads to Reflected Cross-Site Scripting, enabling the attacker to execute arbitrary scripts in the context of the victim's browser session. This can result in session hijacking, defacement, or redirection to malicious sites. The CVSS score is 5.6 (Medium), indicating a moderate severity [1].

Mitigation

The vulnerability has been fixed in version 3.0.7 of the Etsy Shop plugin. Users are strongly advised to update to the latest version to eliminate the risk. No workarounds are mentioned in the advisory [1].