CVE-2025-23495
Published: 22 January 2025
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chetan Khandla WooCommerce Order Search woocommerce-order-searching allows Reflected XSS.This issue affects WooCommerce Order Search: from n/a through <= 1.1.0.
Security Summary
CVE-2025-23495 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79. It affects the WooCommerce Order Search plugin (woocommerce-order-searching) developed by Chetan Khandla for WordPress, impacting all versions from n/a through 1.1.0 inclusive. The vulnerability was published on 2025-01-22.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no privileges required, and user interaction needed, with changed scope and low impacts to confidentiality, integrity, and availability. Unauthenticated attackers can exploit it by crafting malicious input that reflects executable scripts back to users, such as through a tricked click on a malicious link, allowing arbitrary script execution in the victim's browser context.
The primary advisory reference is available at https://patchstack.com/database/Wordpress/Plugin/woocommerce-order-searching/vulnerability/wordpress-woocommerce-order-search-plugin-1-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve, which details the vulnerability in the WooCommerce Order Search plugin version 1.1.0. Security practitioners should consult this for specific patch or mitigation guidance.
Details
- CWE(s)