{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-3814", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-04-18T20:43:20.759Z", "datePublished": "2025-04-22T05:27:24.652Z", "dateUpdated": "2026-04-08T17:29:14.948Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:14.948Z"}, "affected": [{"vendor": "wijnbergdevelopments", "product": "Tax Switch for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.4.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Tax Switch for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018class-name\u2019 parameter in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Tax Switch for WooCommerce <= 1.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via class-name Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e290f1aa-d20a-4e76-b77b-3e5b79e9d379?source=cve"}, {"url": "https://wordpress.org/plugins/tax-switch-for-woocommerce/#developers"}, {"url": "https://plugins.trac.wordpress.org/browser/tax-switch-for-woocommerce/tags/1.4.0/includes/class-wdevs-tax-switch-block.php#L112"}, {"url": "https://plugins.trac.wordpress.org/changeset/3277044/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "timeline": [{"time": "2025-04-21T16:53:17.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-22T18:58:17.999112Z", "id": "CVE-2025-3814", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-22T18:58:48.485Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3814", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-22T18:58:17.999112Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-22T18:58:43.998Z"}}], "cna": {"title": "Tax Switch for WooCommerce <= 1.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via class-name Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Peter Thaleikis"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "wijnbergdevelopments", "product": "Tax Switch for WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.4.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-04-21T16:53:17.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e290f1aa-d20a-4e76-b77b-3e5b79e9d379?source=cve"}, {"url": "https://wordpress.org/plugins/tax-switch-for-woocommerce/#developers"}, {"url": "https://plugins.trac.wordpress.org/browser/tax-switch-for-woocommerce/tags/1.4.0/includes/class-wdevs-tax-switch-block.php#L112"}, {"url": "https://plugins.trac.wordpress.org/changeset/3277044/"}], "descriptions": [{"lang": "en", "value": "The Tax Switch for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018class-name\u2019 parameter in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:14.948Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3814", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:29:14.948Z", "dateReserved": "2025-04-18T20:43:20.759Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-04-22T05:27:24.652Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Tax Switch for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018class-name\u2019 parameter in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Tax Switch para WooCommerce de WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s del par\u00e1metro 'class-name' en todas las versiones hasta la 1.4.2 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-3814", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-04-22T06:15:45.210", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/tax-switch-for-woocommerce/tags/1.4.0/includes/class-wdevs-tax-switch-block.php#L112"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3277044/"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/tax-switch-for-woocommerce/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e290f1aa-d20a-4e76-b77b-3e5b79e9d379?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T23:12:24.077394+00:00", "value": {"mitigation_remediation": ["Apply the latest plugin update (version 1.4.3 or newer) to eliminate the stored XSS flaw.", "If a patch is not immediately available, temporarily disable or uninstall the Tax Switch plugin to prevent exploitation.", "Restrict Contributor roles to only the minimum permissions required and monitor account activity for unauthorized changes."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting (authenticated Contributor+)"}, "threat_synthesis": {"affected_systems": "The affected product is the Tax Switch for WooCommerce WordPress plugin by wijnbergdevelopments. All releases up to and including version 1.4.2 are vulnerable; newer versions claim the issue is resolved.", "description_and_impact": "The Tax Switch for WooCommerce plugin stores user\u2010supplied code in the database through the class\u2011name parameter without proper sanitization or escaping, allowing an authenticated attacker with at least Contributor rights to inject arbitrary JavaScript. Once injected, the code executes in the browser context of any user who visits the affected page, enabling attempts at session hijacking, cookie theft, defacement, or phishing. The vulnerability is a classic Cross\u2011Site Scripting flaw (CWE\u201179).", "risk_and_exploitability": "The CVSS base score of 6.4 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Likely exploitation requires a legitimate WordPress login with at least Contributor privileges and access to the plugin\u2019s class\u2011name configuration. If an attacker can modify the parameter, they can persist malicious scripts that trigger for any site visitor."}}}}, "created": "2026-04-20T23:15:06.310108+00:00", "updated": "2026-04-20T23:15:06.310118+00:00", "vendors": []}