What the vulnerability does
01Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ShapedPlugin LLC Quick View for WooCommerce woo-quickview allows Stored XSS.This issue affects Quick View for WooCommerce: from n/a through <= 2.2.16.
Explanation of Vulnerability in Simple Terms
02Summary
Quick View for WooCommerce versions up to 2.2.16 contain a stored cross-site scripting (XSS) vulnerability. An authenticated user with low privileges can inject malicious scripts that execute in the browsers of other site visitors, including administrators. The vulnerability requires user interaction to trigger. Impact is limited to confidentiality, integrity, and availability of the affected page.
What an attacker can do
03Attacker Capabilities
Inject malicious scripts that run in other users' browsers when they view the affected page.
Potential impact on your site
04Site Impact
Attackers with subscriber or contributor access can deface content, steal admin session tokens, or redirect visitors to malicious sites.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege account on the site; victim must visit a page containing the injected content.
Key dates
06Disclosure timeline
September 22, 2025
CVE published
May 13, 2026
Record updated