A Cross-Site Scripting (XSS) vulnerability has been found in the WordPress Bonus for Woo plugin version 7.1. This vulnerability could allow a malicious actor to inject malicious scripts into the website, which could be used to steal user credentials, redirect users to malicious websites, or display unwanted ads.

This vulnerability was discovered and reported by Enrico Marcolini.


CVSS 3.1 Score: 7.1 (High)

Affected Versions

The affected versions of the plugin are 7.1 and earlier.


If an attacker is able to exploit this vulnerability, they could gain access to your website and its users. They could also use the vulnerability to damage a website or reputation.


To secure the WordPress website against this critical security vulnerability, it is essential to take the following actions immediately:

  1. Update the Plugin: Upgrade the Bonus for Woo Plugin to the latest version available (at least 5.8.3). The update includes security fixes and will help mitigate the XSS risk.
  2. Continual Monitoring: Stay vigilant and keep monitoring for future plugin updates. Regularly review the changelog to ensure security improvements and other vital enhancements are integrated.
  3. Security Best Practices: Implement additional security measures, such as using a WordPress security plugin, employing strong and unique passwords, and keeping regular backups of the site.