CVE-2025-68041
Published: 22 January 2026
Summary
CVE-2025-68041 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-=- CVE-2025-68041 is a Stored Cross-Site Scripting (XSS) vulnerability, classified under CWE-79 for improper neutralization of input during web page generation, affecting the codisto Omnichannel for WooCommerce WordPress plugin (codistoconnect). The issue impacts all versions up to and including 1.3.65. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility, low complexity, no required privileges, user interaction, and changed scope with low impacts on confidentiality, integrity, and availability.
Attackers can exploit this Stored XSS vulnerability without authentication by injecting malicious scripts into plugin-handled inputs that are stored and later rendered on web pages viewed by users. Exploitation requires a victim to interact by accessing the affected page, at which point the script executes in their browser context. This enables limited impacts such as low-level data exfiltration, script injection for session manipulation, or minor disruptions, leveraging the changed scope to affect other users.
The Patchstack advisory at the referenced URL documents this vulnerability in the Omnichannel for WooCommerce plugin up to version 1.3.65, highlighting the need for updates to mitigate the Stored XSS risk. Security practitioners should verify and apply patches beyond the affected version range for WordPress sites using this plugin.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3988
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codisto Omnichannel for WooCommerce codistoconnect allows Stored XSS.This issue affects Omnichannel for WooCommerce: from n/a through <= 1.3.65.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing WordPress plugin directly enables exploitation of web application (T1190) and facilitates browser session hijacking via injected scripts (T1185).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation and neutralization of all untrusted inputs before storage or rendering, directly blocking the improper neutralization that enables stored XSS in the plugin.
Mandates output filtering/encoding of stored content before web page generation, preventing malicious scripts from executing in victim browsers.
Provides mechanisms to detect and block malicious code (scripts) injected via the plugin's inputs before they are stored or executed.