CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
What the vulnerability does
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Sitewide Discount for WooCommerce: Apply Discount to All Products global-shop-discount-for-woocommerce allows Stored XSS.This issue affects Sitewide Discount for WooCommerce: Apply Discount to All Products: from n/a through <= 2.2.1.
Explanation of Vulnerability in Simple Terms
The Sitewide Discount for WooCommerce plugin contains a stored cross-site scripting (XSS) vulnerability in versions up to 2.2.1. An authenticated user with low privileges can inject malicious scripts that execute in the browsers of other site visitors, including administrators. The vulnerability requires user interaction to trigger and can affect multiple users across the site.
What an attacker can do
Inject malicious scripts that run in other users' browsers, potentially stealing session tokens or admin credentials.
Potential impact on your site
Attackers with basic site access can compromise admin accounts or steal customer data through stored XSS attacks.
Conditions required to exploit
Attacker must have a low-privilege account (e.g., customer or contributor) and a victim must view a page containing the injected payload.
Key dates
External resources
Related vulnerabilities
