cleantalk
Vulnerabilities and Security Researches

WooCommerce, CVE-2025-5062

CVE, Research URL

CVE-2025-5062

Home page URL

Security reports for WooCommerce

Application

WooCommerce

Published on
May 22, 2025
Research Description
The WooCommerce plugin for WordPress is vulnerable to PostMessage-Based Cross-Site Scripting via the 'customize-store' page in all versions up to, and including, 9.4.2 due to insufficient input sanitization and output escaping on PostMessage data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions
Min -, max 9.4.2.
Status
vulnerable
Previous vulnerability researches
CryptoCloud – Crypto Payment Gateway (CVE-2025-48147) , May 26, 2025
New vulnerability
WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce (CVE-2025-48125) , May 31, 2025
Minimal Share Buttons (CVE-2025-5259) , May 30, 2025
LA-Studio Element Kit for Elementor (CVE-2025-4943) , May 30, 2025
LA-Studio Element Kit for Elementor (CVE-2025-4944) , May 30, 2025
Essential Real Estate (CVE-2025-48126) , May 30, 2025