CVE-2025-48254: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in WPFactory Change Add to Cart Button Text for WooCommerce plugin affecting versions up to and including 2.2.2. The vulnerability was discovered and reported on May 19, 2025 (NVD, Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It has received a CVSS v3.1 base score of 5.4 (Medium) from NVD with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, while Patchstack assessed it with a slightly higher score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L (NVD).

If exploited, this vulnerability could allow attackers to inject malicious scripts into web pages. When executed, these scripts could lead to various consequences including theft of sensitive information, session hijacking, or manipulation of webpage content (Patchstack).

Users are advised to update to version 2.2.3 or later of the plugin to address this vulnerability. The security issue has been assessed as having a low severity impact and is considered unlikely to be exploited (Patchstack).