CVE-2025-7808: 
WordPress vulnerability analysis and mitigation

The WP Shopify WordPress plugin before version 1.5.4 contains a Reflected Cross-Site Scripting vulnerability (CVE-2025-7808). The vulnerability was discovered and disclosed on July 24, 2025, affecting the plugin's handling of the 'product' parameter. The vulnerability stems from insufficient input sanitization and output escaping of user input (WPScan, NVD).

The vulnerability exists due to improper sanitization and escaping of a parameter before outputting it back in the page. The issue can be triggered by adding the [wp-shopify-continue-shopping] shortcode to a post and accessing it with a specially crafted 'product' parameter. The vulnerability has been assigned a CVSS 3.1 Base Score of 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (Rapid7).

This vulnerability could allow attackers to execute arbitrary web scripts in the context of high-privilege users such as administrators. When successfully exploited, it enables the injection of malicious JavaScript code that executes in the victim's browser, potentially leading to session hijacking, credential theft, or other malicious actions (WPScan).

Users are advised to update their WP Shopify WordPress plugin to version 1.5.4 or later, which contains the fix for this vulnerability (WPScan).