CVE-2025-32533: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in Matat Technologies' Deliver via Shipos for WooCommerce plugin, affecting versions through 2.1.7. The vulnerability was initially reported by João Pedro S Alcântara (Kinorth) on November 30, 2024, and was publicly disclosed on April 10, 2025, receiving the identifier CVE-2025-32533 (Patchstack, NVD).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It has received a CVSS v3.1 base score of 7.1 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, indicating that it is network-accessible, requires low attack complexity, needs no privileges, but does require user interaction (NVD).

This vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the affected website. These injected scripts would be executed when guests visit the site, potentially compromising the security of both the website and its visitors (Patchstack).

The vulnerability has been fixed in version 2.2.0 of the plugin. Users are advised to update to version 2.2.0 or later immediately. For Patchstack users, a virtual patch has been issued to mitigate this issue by blocking any attacks until the update to a fixed version can be completed (Patchstack).