Pepro Bacs Receipt Upload For Woocommerce

Source repositories

CVE	Vendor / Product	Sev	Risk	CVSS	EPSS	KEV	Published	Description
CVE-2025-24574	WordPress Pepro Bacs Receipt Upload For Woocommerce	Hig	0.46	7.1	0.00		Feb 3, 2025	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pepro Dev. Group PeproDev WooCommerce Receipt Uploader pepro-bacs-receipt-upload-for-woocommerce allows Reflected XSS.This issue affects PeproDev WooCommerce Receipt Uploader: from n/a through <= 2.6.9.
CVE-2024-8873	WordPress Pepro Bacs Receipt Upload For Woocommerce	Med	0.40	6.1	0.03		Nov 16, 2024	The PeproDev WooCommerce Receipt Uploader plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.6.9. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. CVE-2025-24574 is likely a duplicate of this issue.

CVE-2025-24574HigFeb 3, 2025
WordPress
Pepro Bacs Receipt Upload For Woocommerce
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pepro Dev. Group PeproDev WooCommerce Receipt Uploader pepro-bacs-receipt-upload-for-woocommerce allows Reflected XSS.This issue affects PeproDev WooCommerce Receipt Uploader: from n/a through <= 2.6.9.
CVE-2024-8873MedNov 16, 2024
WordPress
Pepro Bacs Receipt Upload For Woocommerce
risk 0.40cvss 6.1epss 0.03
The PeproDev WooCommerce Receipt Uploader plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.6.9. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. CVE-2025-24574 is likely a duplicate of this issue.