CVE-2025-10167: 
WordPress vulnerability analysis and mitigation

The Stock History & Reports Manager for WooCommerce plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-10167) discovered on October 10, 2025. The vulnerability affects all versions up to and including 2.2.1, specifically in the plugin's 'algwcstocksnapshotrestocked' shortcode. This security issue stems from insufficient input sanitization and output escaping on user-supplied attributes (NVD CVE).

The vulnerability is classified as a Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 Base Score of 6.4 (Medium), using the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The technical root cause is related to improper neutralization of input during web page generation, specifically in the shortcode functionality of the plugin (Rapid7, Wordfence).

The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever any user accesses the compromised page, potentially leading to unauthorized data access or manipulation of user sessions (NVD CVE).

The vulnerability has been patched in version 2.2.3 of the Stock History & Reports Manager for WooCommerce plugin. Users are advised to update to this version immediately to address the security issue (WordPress Plugin).