CVE-2025-32195: 
WordPress vulnerability analysis and mitigation

The Ecwid Shopping Cart WordPress plugin version 7.0 and earlier contains a Stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered by Ngô Thiên An (ancorn_) from VNPT-VCI and was disclosed on April 4, 2025. This security issue affects the Ecwid Shopping Cart plugin developed by Ecwid by Lightspeed Ecommerce (NVD, Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) issue. It has been assigned a CVSS v3.1 score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability is tracked as CWE-79 and requires contributor-level access or higher to exploit (NVD).

If exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject malicious scripts into pages. These scripts will execute whenever a user accesses the affected pages, potentially leading to the injection of malicious redirects, advertisements, and other HTML payloads (Patchstack).

The vulnerability has been fixed in version 7.0.1 of the Ecwid Shopping Cart plugin. Users are advised to update to version 7.0.1 or later to remove the vulnerability. The security issue has been assessed as having a low severity impact and is considered unlikely to be exploited (Patchstack).