CVE-2025-26749
📋 TL;DR
This stored cross-site scripting (XSS) vulnerability in the WPFactory Additional Custom Product Tabs for WooCommerce plugin allows attackers to inject malicious scripts into product pages. When exploited, these scripts execute in visitors' browsers, potentially stealing session cookies or redirecting users. All WordPress sites using this plugin version 1.7.0 or earlier are affected.
💻 Affected Systems
- WPFactory Additional Custom Product Tabs for WooCommerce
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, take over the WordPress admin panel, install backdoors, deface the site, or redirect users to malicious sites.
Likely Case
Attackers inject malicious JavaScript that steals user session cookies or redirects customers to phishing pages during product browsing.
If Mitigated
With proper input validation and output escaping, malicious scripts would be neutralized before reaching users' browsers.
🎯 Exploit Status
Exploitation requires contributor-level access or higher to create/edit product tabs. The vulnerability is in stored content that affects all visitors.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.1 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Additional Custom Product Tabs for WooCommerce'. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.7.1+ from WordPress repository and replace the plugin files.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate additional-custom-product-tabs-for-woocommerce
Restrict User Roles
allLimit who can create/edit product tabs to trusted administrators only
🧯 If You Can't Patch
- Implement a web application firewall (WAF) with XSS protection rules
- Monitor for suspicious JavaScript in product tab content and user sessions
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Additional Custom Product Tabs for WooCommerce → Version. If version is 1.7.0 or earlier, you're vulnerable.Check Version:
wp plugin get additional-custom-product-tabs-for-woocommerce --field=versionVerify Fix Applied:
After updating, verify plugin version shows 1.7.1 or higher in WordPress admin plugins page.📡 Detection & Monitoring
Log Indicators:
- Unusual product tab edits by non-admin users
- JavaScript payloads in product content
- Multiple failed login attempts followed by product edits
Network Indicators:
- Unexpected external JavaScript loading from product pages
- Suspicious redirects from WooCommerce product URLs
SIEM Query:
source="wordpress" AND (event="plugin_update" AND plugin_name="additional-custom-product-tabs-for-woocommerce" AND version<="1.7.0") OR (event="post_modified" AND post_type="product" AND user_role!="administrator")