CVE-2025-49042: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in Automattic's WooCommerce plugin, tracked as CVE-2025-49042. The vulnerability affects WooCommerce versions up to 10.0.2 and was disclosed on October 29, 2025. This security issue specifically impacts users with Shop manager or higher privileges (NVD, Wordfence).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. According to the CVSS 3.1 scoring, it has received a base score of 5.9 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. This indicates that the vulnerability requires high privileges and user interaction to exploit, with potential impacts on confidentiality, integrity, and availability all rated as Low (NVD).

The vulnerability allows authenticated users with Shop manager or higher privileges to perform Stored Cross-Site Scripting attacks. This could potentially lead to unauthorized access to sensitive information, manipulation of web content, and compromise of user sessions (NVD).

Users are advised to update their WooCommerce installation to a version newer than 10.0.2 to address this vulnerability (Patchstack).