CVE-2025-10191
📋 TL;DR
This stored XSS vulnerability in the Big Post Shipping for WooCommerce WordPress plugin allows authenticated attackers with contributor-level access or higher to inject malicious scripts into website pages. The scripts execute whenever users visit compromised pages, potentially stealing session cookies, redirecting users, or defacing websites. All WordPress sites using this plugin up to version 2.1.1 are affected.
💻 Affected Systems
- Big Post Shipping for WooCommerce WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full site control, install backdoors, steal customer data, or redirect users to malicious sites.
Likely Case
Attackers deface websites, inject cryptocurrency miners, steal visitor session data, or redirect users to phishing pages.
If Mitigated
Limited to authenticated users only, with proper input validation preventing script injection and output escaping neutralizing any attempts.
🎯 Exploit Status
Requires authenticated access (contributor role or higher). Exploitation involves injecting scripts via the 'wooboigpost_shipping_status' shortcode attributes.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 2.1.1
Vendor Advisory: https://wordpress.org/plugins/woo-bigpost-shipping
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Big Post Shipping for WooCommerce'. 4. Click 'Update Now' if available. 5. If no update appears, manually download latest version from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Remove or disable plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate woo-bigpost-shipping
Restrict user roles
allLimit contributor-level access to trusted users only
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads
- Regularly audit user accounts and remove unnecessary contributor-level access
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin → Plugins → Installed Plugins. If version is 2.1.1 or lower, you are vulnerable.Check Version:
wp plugin get woo-bigpost-shipping --field=versionVerify Fix Applied:
After update, verify plugin version is higher than 2.1.1. Test shortcode functionality to ensure it properly escapes output.📡 Detection & Monitoring
Log Indicators:
- Unusual shortcode usage in post/page edits
- Multiple failed authentication attempts followed by successful contributor login
- Suspicious script tags in post content
Network Indicators:
- Unexpected outbound connections from WordPress site to unknown domains
- Suspicious JavaScript payloads in HTTP requests
SIEM Query:
source="wordpress" AND (event="post_edit" OR event="plugin_activity") AND plugin="woo-bigpost-shipping" AND version<="2.1.1"