CVE-2025-10191 in Big Post Shipping for WooCommerce Plugin
Summary
by MITRE • 09/30/2025
The Big Post Shipping for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wooboigpost_shipping_status' shortcode in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/30/2025
The vulnerability identified as CVE-2025-10191 affects the Big Post Shipping for WooCommerce plugin, a widely used WordPress extension that integrates shipping functionality with WooCommerce stores. This plugin enables merchants to manage shipping operations and track packages through a custom shortcode implementation. The vulnerability exists in versions up to and including 2.1.1, representing a critical security flaw that could compromise the integrity of WordPress installations. The issue stems from inadequate input validation and output escaping mechanisms within the plugin's shortcode processing functionality, specifically targeting the 'wooboigpost_shipping_status' shortcode which is designed to display shipping status information to users.
The technical flaw manifests as a stored cross-site scripting vulnerability that occurs when user-supplied attributes are processed through the plugin's shortcode without proper sanitization. This vulnerability operates at the application layer and is classified as CWE-79, which represents Cross-Site Scripting (XSS) vulnerabilities in software applications. The vulnerability requires minimal privileges to exploit, as authenticated attackers with contributor-level access or higher can inject malicious scripts into the plugin's shortcode attributes. When these attributes are later rendered on pages, the injected scripts execute in the context of other users who access those pages, creating a persistent threat vector that can affect multiple users over time.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with the ability to perform various malicious activities within the compromised WordPress environment. Attackers could potentially steal session cookies, redirect users to malicious websites, modify content displayed to other users, or even escalate privileges within the WordPress installation. The stored nature of the vulnerability means that once a malicious script is injected, it remains persistent and will execute every time affected pages are accessed, making it particularly dangerous for websites with high user traffic or those handling sensitive customer information. This vulnerability particularly affects WooCommerce stores that rely on the Big Post Shipping plugin for their shipping management, potentially exposing customer data and disrupting business operations.
Mitigation strategies for CVE-2025-10191 should prioritize immediate action to address the vulnerability through plugin updates to versions that properly sanitize input and escape output. System administrators should implement the principle of least privilege, restricting contributor-level access to only essential functions and monitoring user activities for suspicious behavior. The vulnerability aligns with ATT&CK technique T1548.001, which describes privilege escalation through the manipulation of application-specific objects, and T1566.001, which covers spearphishing attacks that could be used to gain initial access to the WordPress environment. Organizations should conduct thorough security audits of their WordPress installations, review all active plugins for similar vulnerabilities, and implement web application firewalls to detect and block malicious script injection attempts. Additionally, regular security updates and patch management procedures should be enforced to prevent similar vulnerabilities from being introduced through outdated software components.