CVE-2023-7151 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the Product Enquiry for WooCommerce WordPress plugin versions prior to 3.2. The vulnerability arises because the plugin fails to properly sanitize and escape the 'page' parameter before reflecting it back within an HTML attribute. This improper handling allows an attacker to inject malicious JavaScript code that executes in the context of the victim's browser. Since the vulnerability is reflected, it requires the victim to click on a crafted URL containing the malicious payload. The impact is particularly severe when high-privilege users such as administrators are targeted, as the injected script could hijack their session, steal cookies, or perform actions on their behalf within the WordPress admin interface. The CVSS 3.1 base score is 6.1 (medium severity), reflecting that the attack vector is network-based, requires no privileges but does require user interaction, and has a scope change with limited confidentiality and integrity impact but no availability impact. No known exploits are currently reported in the wild, but the vulnerability is publicly disclosed and should be addressed promptly. The lack of patch links suggests that a fixed version (3.2 or later) is available but not linked here. This vulnerability is a classic example of CWE-79, where improper input validation leads to client-side code injection, posing risks of session hijacking, defacement, or privilege escalation via social engineering.

For European organizations using WooCommerce with the vulnerable Product Enquiry plugin, this vulnerability poses a tangible risk to website integrity and administrative security. Attackers could craft URLs that, when visited by site administrators or privileged users, execute malicious scripts capable of stealing authentication tokens or performing unauthorized administrative actions. This could lead to data leakage, unauthorized changes to e-commerce settings, or further compromise of the WordPress environment. Given WooCommerce's popularity in Europe for online retail, especially among SMEs, exploitation could disrupt business operations, damage customer trust, and lead to regulatory compliance issues under GDPR if personal data is exposed. The reflected nature of the XSS means phishing or social engineering campaigns could be used to lure administrators into clicking malicious links, increasing the attack surface. Although no active exploitation is reported, the public disclosure increases the risk of opportunistic attacks. Organizations with high-value e-commerce platforms or sensitive customer data are particularly at risk.

European organizations should immediately verify if their WooCommerce installations use the Product Enquiry plugin and confirm the version. Upgrading to version 3.2 or later, where the vulnerability is fixed, is the primary mitigation. If immediate upgrade is not feasible, implementing Web Application Firewall (WAF) rules to detect and block suspicious 'page' parameter inputs containing script tags or typical XSS payloads can reduce risk. Administrators should be trained to recognize phishing attempts involving suspicious URLs. Additionally, enforcing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Regular security audits of WordPress plugins and monitoring for unusual admin activity are recommended. Finally, disabling or removing unused plugins reduces the attack surface.