CVE-2025-53455 MEDIUM

CVE-2025-53455: WordPress CashBill.pl – Płatności WooCommerce Plugin <= 3.2.1 - Cross Site Scripting (XSS) Vulnerability

Vendor Cashbill
Product CashBill.pl – Płatności WooCommerce
Weakness CWE-79 · XSS
Published September 22, 2025
Last update April 28, 2026
View on NVD All CVEs

CVSS base score

5.9/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CashBill CashBill.pl – Płatności WooCommerce cashbill-payment-method allows Stored XSS.This issue affects CashBill.pl – Płatności WooCommerce: from n/a through <= 3.2.1.

Explanation of Vulnerability in Simple Terms

02Summary

CashBill.pl – Płatności WooCommerce versions 3.2.1 and earlier contain a cross-site scripting (XSS) vulnerability. An authenticated admin user with high privileges can inject malicious scripts that execute in other users' browsers when they visit affected pages. The vulnerability requires user interaction and can affect the site's integrity and confidentiality.

What an attacker can do

03Attacker Capabilities

Inject malicious scripts that execute in other users' browsers to steal data or modify site content.

Potential impact on your site

04Site Impact

An admin account could be compromised to inject scripts affecting other users and site visitors.

Conditions required to exploit

05Prerequisites

Attacker must have high-level admin privileges and the victim must visit a page containing the injected script.

Key dates

06Disclosure timeline

September 22, 2025 CVE published
April 28, 2026 Record updated

Related vulnerabilities

08Related CVE

CVE-2026-2735 Stored Cross-Site Scripting (XSS) vulnerability in Alkacon's OpenCms CVE-2023-52124 WordPress WP Tabs Plugin <= 2.2.0 is vulnerable to Cross Site Scripting (XSS) CVE-2024-32553 WordPress Superfly Menu plugin <= 5.0.25 - Subscriber+ Site-Wide Stored Cross Site Scripting (XSS) vulnerability CVE-2026-47935 Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79) CVE-2023-36501 WordPress teachPress Plugin <= 9.0.2 is vulnerable to Cross Site Scripting (XSS)