CVE-2025-8618: 
WordPress vulnerability analysis and mitigation

The WPC Smart Quick View for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's woosq_btn shortcode in versions up to and including 4.2.1. This vulnerability was discovered and disclosed on August 20, 2025, and has been assigned identifier CVE-2025-8618. The vulnerability affects the plugin's shortcode functionality due to insufficient input sanitization and output escaping on user-supplied attributes (Wordfence).

The vulnerability exists in the woosq_btn shortcode implementation where user-supplied attributes are not properly sanitized before being output. This allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. When users access an affected page, the injected scripts will execute in their browser context. The vulnerability has been assigned a CVSS v3.1 score of 6.4 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows authenticated attackers to inject malicious scripts that execute in visitors' browsers when they view affected pages. This could lead to various attacks including cookie theft, session hijacking, or other client-side attacks targeting site visitors. The impact is limited by the requirement for an authenticated account with contributor-level access or higher (NVD).

The vulnerability has been patched in version 4.2.2 of the WPC Smart Quick View plugin. Site administrators should update to this version immediately. The update includes security improvements to properly sanitize and escape user input in the shortcode functionality (WordPress Plugin).