CVE-2025-1363: 
WordPress vulnerability analysis and mitigation

The URL Shortener | Conversion Tracking | AB Testing | WooCommerce WordPress plugin through version 9.0.2 contains a stored Cross-Site Scripting (XSS) vulnerability. This security issue was discovered and reported by Bob Matyas, with the vulnerability being publicly disclosed on February 16, 2025 (WPScan).

The vulnerability stems from improper sanitization and escaping of certain plugin settings. This security flaw allows high-privilege users, such as administrators, to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed, which is particularly concerning in multisite setups. The vulnerability has been assigned a CVSS score of 3.5 (Low) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N (NVD).

When exploited, this vulnerability could allow authenticated administrators to inject malicious JavaScript code into the plugin settings. This could potentially lead to the execution of arbitrary JavaScript code in other users' browsers when they access the affected pages, potentially compromising their sessions or leading to other client-side attacks (WPScan).

Currently, there is no known fix available for this vulnerability. Users should monitor for updates from the plugin developer and implement them when available. In the meantime, access to the plugin's settings page should be strictly limited to trusted administrators (WPScan).