CVE-2025-9115

The Etsy Shop WordPress plugin before 3.0.7 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers.

CVSS v3 5.6 MEDIUM

5.6^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://wpscan.com/vulnerability/67721fa5-4d4f-468b-aa77-c406e68fcf17/

Configurations

No configuration.

History

22 Sep 2025, 17:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.6

22 Sep 2025, 06:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-09-22 06:15

Updated : 2025-09-22 21:22

NVD link : CVE-2025-9115

Mitre link : CVE-2025-9115

CVE.ORG link : CVE-2025-9115

JSON object : View

Products Affected

No product.

CWE

No CWE.

5.6 /10