{"api_version":"1","generated_at":"2026-04-24T22:08:20+00:00","cve":"CVE-2019-25152","urls":{"html":"https://cve.report/CVE-2019-25152","api":"https://cve.report/api/cve/CVE-2019-25152.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2019-25152","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2019-25152"},"summary":{"title":"Abandoned Cart Lite for WooCommerce < 5.2.0 and Abandoned Cart Pro for WooCommerce < 7.13.0 - Stored Cross-Site Scripting","description":"The Abandoned Cart Lite for WooCommerce and Abandoned Cart Pro for WooCommerce plugins for WordPress are vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 5.1.3 and 7.12.0 respectively, due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in user input that will execute on the admin dashboard.","state":"PUBLISHED","assigner":"Wordfence","published_at":"2023-06-22 02:15:47","updated_at":"2026-04-08 19:17:33"},"problem_types":["CWE-79","CWE-79 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"6.1","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"security@wordfence.com","type":"Secondary","score":"7.2","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N","baseScore":7.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"7.2","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N","data":{"baseScore":7.2,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N","version":"3.1"}}],"references":[{"url":"https://wpscan.com/vulnerability/9229","name":"https://wpscan.com/vulnerability/9229","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"Abandoned Cart Lite for WooCommerce < 5.2.0 - Unauthenticated Stored Cross-Site Scripting (XSS) Security Vulnerability","mime":"text/html","httpstatus":"403","archivestatus":"200"},{"url":"https://www.wordfence.com/blog/2019/03/xss-flaw-in-abandoned-cart-plugin-leads-to-wordpress-site-takeovers/","name":"https://www.wordfence.com/blog/2019/03/xss-flaw-in-abandoned-cart-plugin-leads-to-wordpress-site-takeovers/","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Third Party Advisory"],"title":"XSS Vulnerability in Abandoned Cart Plugin Leads To WordPress Site Takeovers","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://plugins.trac.wordpress.org/changeset/2033212","name":"https://plugins.trac.wordpress.org/changeset/2033212","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"403 Forbidden","mime":"text/html","httpstatus":"403","archivestatus":"404"},{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/a9cc5c6d-4396-4ebf-8788-f01dd9e9cfbc?source=cve","name":"https://www.wordfence.com/threat-intel/vulnerabilities/id/a9cc5c6d-4396-4ebf-8788-f01dd9e9cfbc?source=cve","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"Abandoned Cart Lite for WooCommerce < 5.2.0 and Abandoned Cart Pro for WooCommerce < 7.13.0 - Stored Cross-Site Scripting","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2019-25152","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-25152","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"tychesoftwares","product":"Abandoned Cart Lite for WooCommerce","version":"affected 5.2.0 semver","platforms":[]},{"source":"CNA","vendor":"TYCHE","product":"Abandoned Cart Pro for WooCommerce","version":"affected 7.12.0 semver","platforms":[]}],"timeline":[{"source":"CNA","time":"2019-03-11T00:00:00.000Z","lang":"en","value":"Disclosed"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2019","cve_id":"25152","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"tychesoftwares","cpe5":"abandoned_cart_lite_for_woocommerce","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"25152","vulnerable":"1","versionEndIncluding":"7.12.0","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"tychesoftwares","cpe5":"abandoned_cart_pro_for_woocommerce","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2019","cve_id":"25152","cve":"CVE-2019-25152","epss":"0.271250000","percentile":"0.963740000","score_date":"2026-04-09","updated_at":"2026-04-10 00:07:03"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-05T03:00:19.348Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_transferred"],"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/a9cc5c6d-4396-4ebf-8788-f01dd9e9cfbc?source=cve"},{"tags":["x_transferred"],"url":"https://www.wordfence.com/blog/2019/03/xss-flaw-in-abandoned-cart-plugin-leads-to-wordpress-site-takeovers/"},{"tags":["x_transferred"],"url":"https://plugins.trac.wordpress.org/changeset/2033212"},{"tags":["x_transferred"],"url":"https://wpscan.com/vulnerability/9229"}],"title":"CVE Program Container"},{"metrics":[{"other":{"content":{"id":"CVE-2019-25152","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2024-10-30T13:03:35.482920Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2024-10-30T13:03:54.359Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Abandoned Cart Lite for WooCommerce","vendor":"tychesoftwares","versions":[{"lessThan":"5.2.0","status":"affected","version":"0","versionType":"semver"}]},{"defaultStatus":"unaffected","product":"Abandoned Cart Pro for WooCommerce","vendor":"TYCHE","versions":[{"lessThanOrEqual":"7.12.0","status":"affected","version":"0","versionType":"semver"}]}],"descriptions":[{"lang":"en","value":"The Abandoned Cart Lite for WooCommerce and Abandoned Cart Pro for WooCommerce plugins for WordPress are vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 5.1.3 and 7.12.0 respectively, due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in user input that will execute on the admin dashboard."}],"metrics":[{"cvssV3_1":{"baseScore":7.2,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-79","description":"CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-08T17:14:13.416Z","orgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","shortName":"Wordfence"},"references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/a9cc5c6d-4396-4ebf-8788-f01dd9e9cfbc?source=cve"},{"url":"https://www.wordfence.com/blog/2019/03/xss-flaw-in-abandoned-cart-plugin-leads-to-wordpress-site-takeovers/"},{"url":"https://plugins.trac.wordpress.org/changeset/2033212"},{"url":"https://wpscan.com/vulnerability/9229"}],"timeline":[{"lang":"en","time":"2019-03-11T00:00:00.000Z","value":"Disclosed"}],"title":"Abandoned Cart Lite for WooCommerce < 5.2.0 and Abandoned Cart Pro for WooCommerce < 7.13.0 - Stored Cross-Site Scripting"}},"cveMetadata":{"assignerOrgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","assignerShortName":"Wordfence","cveId":"CVE-2019-25152","datePublished":"2023-06-22T01:49:51.293Z","dateReserved":"2023-06-21T11:29:00.463Z","dateUpdated":"2026-04-08T17:14:13.416Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2023-06-22 02:15:47","lastModifiedDate":"2026-04-08 19:17:33","problem_types":["CWE-79","CWE-79 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N","baseScore":7.2,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":2.7},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.7}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:tychesoftwares:abandoned_cart_lite_for_woocommerce:*:*:*:*:*:wordpress:*:*","versionEndExcluding":"5.2.0","matchCriteriaId":"8931697D-8EC8-4B2A-881B-286B495DCCC0"},{"vulnerable":true,"criteria":"cpe:2.3:a:tychesoftwares:abandoned_cart_pro_for_woocommerce:*:*:*:*:*:wordpress:*:*","versionEndIncluding":"7.12.0","matchCriteriaId":"371B5867-CE38-44E6-9DCD-3FB3DABAE8A5"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2019","CveId":"25152","Ordinal":"1","Title":"Abandoned Cart Lite for WooCommerce < 5.2.0 and Abandoned Cart P","CVE":"CVE-2019-25152","Year":"2019"},"notes":[{"CveYear":"2019","CveId":"25152","Ordinal":"1","NoteData":"The Abandoned Cart Lite for WooCommerce and Abandoned Cart Pro for WooCommerce plugins for WordPress are vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 5.1.3 and 7.12.0 respectively, due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in user input that will execute on the admin dashboard.","Type":"Description","Title":"Abandoned Cart Lite for WooCommerce < 5.2.0 and Abandoned Cart P"}]}}}