QR Code for WooCommerce order emails, PDF invoices, packing slips

6.4 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Description

The QR Code for WooCommerce order emails, PDF invoices, packing slips plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode in all versions up to, and including, 1.9.42 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Basic Information

ID CVE-2025-14626

Source Wordfence

Published Jan 7, 2026 at 09:20

Affected Product

Vendor www15to

Product QR Code for WooCommerce order emails, PDF invoices, packing slips

Version *

Affected Versions www15to QR Code for WooCommerce order emails, PDF invoices, packing slips *

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "The QR Code for WooCommerce order emails, PDF invoices, packing slips plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode in all versions up to, and including, 1.9.42 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
    "published": "2026-01-07T09:20:57.050Z",
    "modified": "2026-01-07T09:20:57.050Z",
    "type": "cve",
    "title": "QR Code for WooCommerce order emails, PDF invoices, packing slips <= 1.9.42 - Authenticated (Contributor+) Cross-Site Scripting via Shortcode Attributes",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5b2e599c-48de-4d3a-94a3-b98badfb7a98?source=cve\nhttps://plugins.trac.wordpress.org/browser/qr-code-tag-for-wc-from-goaskle-com/tags/1.9.42/lib/qrct/QrctWp.php#L1661\nhttps://plugins.trac.wordpress.org/browser/qr-code-tag-for-wc-from-goaskle-com/trunk/lib/qrct/QrctWp.php#L1661",
    "id": "CVE-2025-14626",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "www15to QR Code for WooCommerce order emails, PDF invoices, packing slips *",
    "sourceHref": "",
    "cvss": {
        "score": 6.4,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "QR Code for WooCommerce order emails, PDF invoices, packing slips",
    "version": "*",
    "vendor": "www15to",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

QR Code for WooCommerce order emails, PDF invoices, packing slips <= 1.9.42 - Authenticated (Contributor+) Cross-Site Scripting via Shortcode Attributes_CVE-2025-14626