CVE-2025-9115: 
WordPress vulnerability analysis and mitigation

The Etsy Shop WordPress plugin versions prior to 3.0.7 contains a reflected Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-9115. The vulnerability was discovered by Bob Matyas and publicly disclosed on September 1, 2025. The issue affects the plugin's handling of the $SERVER['REQUESTURI'] parameter, which could lead to XSS attacks in older web browsers (WPScan).

The vulnerability stems from improper escaping of the $SERVER['REQUESTURI'] parameter before it is output back in an attribute. This implementation flaw could allow malicious data to be executed in the context of old web browsers. The vulnerability has been assigned a CVSS score of 5.8 (Medium) and is classified under CWE-79: Cross-Site Scripting (WPScan).

If successfully exploited, this vulnerability could allow attackers to execute arbitrary JavaScript code in the context of other users' browsers who visit the affected pages. This could potentially lead to theft of sensitive information, session hijacking, or other client-side attacks (WPScan).

The vulnerability has been patched in version 3.0.7 of the Etsy Shop plugin. Site administrators are advised to update to this version or later to protect against potential XSS attacks (WPScan).