CVE-2025-39520: 
WordPress vulnerability analysis and mitigation

CVE-2025-39520 is a Cross-site Scripting (XSS) vulnerability discovered in WP Wham Checkout Files Upload for WooCommerce plugin affecting versions through 2.2.0. The vulnerability was discovered and reported by muhammad yudha on March 11, 2025, and was officially published on April 16, 2025 (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') issue, identified as CWE-79. It has been assigned a CVSS v3.1 Base Score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires contributor-level privileges to exploit (NVD).

This vulnerability could allow a malicious actor to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site (Patchstack).

The vulnerability has been patched in version 2.2.1 of the WP Wham Checkout Files Upload for WooCommerce plugin. Users are advised to update to version 2.2.1 or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins (Patchstack).