Cyber Resilience

CVE-2025-68041

High

Published: 22 January 2026

Published
22 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0006 20.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-68041 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-=- CVE-2025-68041 is a Stored Cross-Site Scripting (XSS) vulnerability, classified under CWE-79 for improper neutralization of input during web page generation, affecting the codisto Omnichannel for WooCommerce WordPress plugin (codistoconnect). The issue impacts all versions up to and including 1.3.65. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low complexity, no required privileges, user interaction, and changed scope with low impacts on confidentiality, integrity, and availability.

Attackers can exploit this Stored XSS vulnerability without authentication by injecting malicious scripts into plugin-handled inputs that are stored and later rendered on web pages viewed by users. Exploitation requires a victim to interact by accessing the affected page, at which point the script executes in their browser context. This enables limited impacts such as low-level data exfiltration, script injection for session manipulation, or minor disruptions, leveraging the changed scope to affect other users.

The Patchstack advisory at the referenced URL documents this vulnerability in the Omnichannel for WooCommerce plugin up to version 1.3.65, highlighting the need for updates to mitigate the Stored XSS risk. Security practitioners should verify and apply patches beyond the affected version range for WordPress sites using this plugin.

EU & UK References

Vulnerability details

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codisto Omnichannel for WooCommerce codistoconnect allows Stored XSS.This issue affects Omnichannel for WooCommerce: from n/a through <= 1.3.65.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

Stored XSS in public-facing WordPress plugin directly enables exploitation of web application (T1190) and facilitates browser session hijacking via injected scripts (T1185).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-1843Shared CWE-79
CVE-2026-42678Shared CWE-79
CVE-2023-49186Shared CWE-79
CVE-2025-22586Shared CWE-79
CVE-2026-1316Shared CWE-79
CVE-2025-23451Shared CWE-79
CVE-2026-34564Shared CWE-79
CVE-2025-23744Shared CWE-79
CVE-2025-23923Shared CWE-79
CVE-2025-23905Shared CWE-79

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and neutralization of all untrusted inputs before storage or rendering, directly blocking the improper neutralization that enables stored XSS in the plugin.

prevent

Mandates output filtering/encoding of stored content before web page generation, preventing malicious scripts from executing in victim browsers.

preventdetect

Provides mechanisms to detect and block malicious code (scripts) injected via the plugin's inputs before they are stored or executed.

References