CVE-2025-5062 MEDIUM

CVE-2025-5062: WooCommerce <= 9.4.2 - PostMessage-Based Cross-Site Scripting

Vendor Automattic
Product WooCommerce
Weakness CWE-79 · XSS
Published May 22, 2025
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The WooCommerce plugin for WordPress is vulnerable to PostMessage-Based Cross-Site Scripting via the 'customize-store' page in all versions up to, and including, 9.4.2 due to insufficient input sanitization and output escaping on PostMessage data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Key dates

02Disclosure timeline

May 22, 2025 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-53224 WordPress NextGEN Gallery Search Plugin <= 2.12 - Cross Site Scripting (XSS) Vulnerability CVE-2023-6301 SourceCodester Best Courier Management System GET Parameter parcel_list.php cross site scripting CVE-2026-9566 teableio teable Sign-up LoginPage.tsx cross site scripting CVE-2025-47626 WordPress Submission DOM tracking for Contact Form 7 plugin <= 2.1 - Cross Site Scripting (XSS) vulnerability CVE-2015-10095 woo-popup Plugin class-woo-popup-admin.php cross site scripting