CVE-2025-48240: 
WordPress vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability was discovered in WPFactory Cost of Goods for WooCommerce plugin affecting versions through 3.7.0. The vulnerability was disclosed on May 19, 2025, and is tracked as CVE-2025-48240. This security issue allows for Stored XSS attacks due to improper neutralization of input during web page generation (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium severity) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The attack vector is network-based (N), with low attack complexity (L), requiring low privileges (L) and user interaction (R). The scope is changed (C) with low impact on confidentiality, integrity, and availability (NVD, Patchstack).

If exploited, this vulnerability could allow a malicious actor to inject malicious scripts into the website, which would be executed when visitors access the affected pages. This could lead to various attacks including redirects, unauthorized advertisements, and other malicious HTML payloads being executed in visitors' browsers (Patchstack).

The vulnerability has been patched in version 3.7.1 of the Cost of Goods for WooCommerce plugin. Users are advised to update to this version or later to remove the vulnerability. For Patchstack users, enabling auto-update for vulnerable plugins is recommended as an additional security measure (Patchstack).