CVE-2025-11821: 
WordPress vulnerability analysis and mitigation

The Woocommerce – Products By Custom Tax plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-11821) affecting all versions up to and including 2.2. The vulnerability was discovered and disclosed on November 10, 2025. This security issue impacts WordPress installations using the affected plugin versions (NVD CVE).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue (CWE-79) that exists in the 'wooproductscustom_tax' shortcode functionality. The root cause is insufficient input sanitization and output escaping on user-supplied attributes. The vulnerability has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (Wordfence).

The vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever any user accesses the compromised page, potentially leading to data theft, session hijacking, or other client-side attacks (NVD CVE).

The plugin has been temporarily closed as of November 7, 2025, pending a full security review. Users are advised to disable and remove the plugin until a patched version becomes available (WordPress Plugin).