CVE-2025-58985 in Additional Custom Product Tabs for WooCommerce Plugin
Summary
by MITRE • 09/09/2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Additional Custom Product Tabs for WooCommerce allows Stored XSS. This issue affects Additional Custom Product Tabs for WooCommerce: from n/a through 1.7.3.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 09/09/2025
This vulnerability represents a critical cross-site scripting flaw in the WPFactory Additional Custom Product Tabs for WooCommerce plugin, which operates under the CWE-79 category of Cross-Site Scripting. The vulnerability arises from improper input sanitization during the web page generation process, specifically when handling user-supplied data in product tab content. Attackers can exploit this weakness by injecting malicious scripts into product tab fields that are then stored on the server and subsequently executed in the context of other users' browsers when they view the affected product pages.
The technical implementation of this stored XSS vulnerability occurs through the plugin's handling of custom product tab content where user input is not adequately sanitized or escaped before being rendered back to users. When administrators or users with appropriate permissions create or modify product tabs containing malicious script payloads, these inputs are stored in the database without proper neutralization. Subsequently, when other users access the product pages, the stored malicious scripts execute in their browsers, potentially leading to session hijacking, credential theft, or redirection to malicious sites. This vulnerability affects all versions of the plugin up to and including version 1.7.3, indicating a long-standing issue that has not been properly addressed.
The operational impact of this vulnerability extends beyond simple script execution as it provides attackers with persistent access to user sessions and potentially administrative privileges if the compromised users have elevated permissions. The stored nature of the XSS means that the attack vector remains active until the malicious content is removed from the database, allowing attackers to maintain access over extended periods. This vulnerability particularly affects e-commerce environments where user trust and session integrity are paramount, as it can be exploited to steal customer information, manipulate product displays, or redirect users to fraudulent sites. The attack chain follows typical ATT&CK techniques for initial access and privilege escalation through web application vulnerabilities.
Mitigation strategies should focus on immediate input validation and output encoding practices, including implementing proper sanitization of all user inputs before storage and ensuring that all content is properly escaped when rendered in web contexts. The plugin developers should implement comprehensive input filtering mechanisms that strip or encode potentially dangerous characters and tags from user submissions. Additionally, administrators should consider implementing content security policies to limit script execution, and regular security audits should be conducted to identify similar vulnerabilities in other plugins or custom code. The most effective remediation involves upgrading to patched versions of the plugin where available, implementing web application firewalls for additional protection layers, and ensuring that all user inputs undergo strict validation before being processed or stored within the system.