cleantalk
Vulnerabilities and Security Researches

FastSpring, CVE-2025-4595

CVE, Research URL

CVE-2025-4595

Home page URL

Security reports for FastSpring

Application

FastSpring

Published on
May 31, 2025
Research Description
The FastSpring plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fastspring/block-fastspringblocks-complete-product-catalog' block in all versions up to, and including, 3.0.1 due to insufficient input sanitization and output escaping on the 'color' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
Min -, max 3.0.1.
Status
vulnerable
Previous vulnerability researches
SKT Skill Bar (CVE-2024-38698) , Jul 15, 2024
SKT Skill Bar (CVE-2025-47482) , May 09, 2025
SKT Skill Bar (CVE-2025-26880) , Apr 15, 2025
New vulnerability
Leadinfo (CVE-2025-48271) , Jun 04, 2025
Free Booking Plugin for Hotels, Restaurant and Car Rental – eaSYNC (CVE-2025-4691) , Jun 04, 2025
WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance (CVE-2025-3951) , Jun 04, 2025
Year Make Model Search for WooCommerce (CVE-2025-48265) , Jun 04, 2025
Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP (CVE-2025-48255) , Jun 04, 2025