CVE-2025-3814: 
WordPress vulnerability analysis and mitigation

The Tax Switch for WooCommerce plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-3814) that affects all versions up to and including 1.4.2. The vulnerability was discovered on April 21, 2025, and was reported by security researcher Peter Thaleikis (Wordfence). The issue exists in the plugin's handling of the 'class-name' parameter, which lacks proper input sanitization and output escaping (WordPress Plugin).

The vulnerability stems from insufficient input sanitization and output escaping of the 'class-name' parameter in the plugin's code. This security flaw has been assigned a CVSS v3.1 Base Score of 6.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

The vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These injected scripts will execute whenever a user accesses the affected page, potentially leading to unauthorized actions and data theft (NVD).

The vulnerability has been patched in version 1.4.3 of the Tax Switch for WooCommerce plugin. The update includes security improvements for escaping dynamic class names in HTML output. Users are strongly advised to update to version 1.4.3 or later to protect against this vulnerability (WordPress Plugin).