CVE-2025-22588
Published: 13 January 2025
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in intelligence_lab Scanventory woocommerce-inventory-management allows Reflected XSS.This issue affects Scanventory: from n/a through <= 1.1.3.
Security Summary
CVE-2025-22588 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the Scanventory WooCommerce Inventory Management plugin by intelligence_lab. This issue affects all versions of the Scanventory plugin up to and including 1.1.3, which is a WordPress plugin for inventory management in WooCommerce environments. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
Unauthenticated attackers (PR:N) can exploit this over the network (AV:N) with low complexity (AC:L) by tricking users into interacting with malicious input, such as clicking a crafted link (UI:R). Successful exploitation changes scope (S:C), enabling arbitrary script execution in the victim's browser context, with low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L). This could allow theft of session data or limited site manipulation from the user's perspective.
The Patchstack advisory provides details on this Reflected XSS vulnerability in the WordPress Scanventory plugin version 1.1.3, available at https://patchstack.com/database/Wordpress/Plugin/woocommerce-inventory-management/vulnerability/wordpress-scanventory-plugin-1-1-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
Details
- CWE(s)