CVE-2025-6255: 
WordPress vulnerability analysis and mitigation

The Dynamic AJAX Product Filters for WooCommerce plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-6255) in versions up to and including 1.3.7. The vulnerability exists in the 'className' parameter due to insufficient input sanitization and output escaping. This security issue was discovered and disclosed on August 28, 2025, and was patched in version 1.3.8 (Wordfence, NVD).

The vulnerability is classified as a Stored Cross-Site Scripting (CWE-79) issue. It has been assigned a CVSS v3.1 Base Score of 6.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability specifically affects the 'className' parameter in the plugin's functionality, where insufficient input sanitization and output escaping allow for the injection of malicious web scripts (NVD).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These injected scripts will execute whenever a user accesses the affected page, potentially compromising the security of site visitors (NVD).

The vulnerability has been patched in version 1.3.8 of the Dynamic AJAX Product Filters for WooCommerce plugin. Users are advised to update to this version immediately to address the security issue (WordPress Plugin).