CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-24644: WordPress WooCommerce PDF Invoices plugin <= 4.7.1 - Stored Cross Site Scripting (XSS) vulnerability

5.9 CVSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebToffee WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels allows Stored XSS. This issue affects WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels: from n/a through 4.7.1.

Classification

CVE ID: CVE-2025-24644

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.9

Affected Products

Vendor: WebToffee

Product: WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 16.49% (scored less or equal to compared to others)

EPSS Date: 2025-02-21 (when was this score calculated)

References

https://patchstack.com/database/wordpress/plugin/print-invoices-packing-slip-labels-for-woocommerce/vulnerability/wordpress-woocommerce-pdf-invoices-plugin-4-7-1-stored-cross-site-scripting-xss-vulnerability?_s_id=cve

Timeline

2025-01-25 00:30:32 UTC
CVE

WordPress WooCommerce PDF Invoices plugin <= 4.7.1 - Stored Cross Site Scripting (XSS) vulnerability