CVE-2025-1008 is a stored cross-site scripting vulnerability identified in the Recently Purchased Products For Woo plugin for WordPress, maintained by worldweb. This vulnerability affects all versions up to and including 1.1.3. The root cause is improper neutralization of input during web page generation (CWE-79), specifically insufficient sanitization and escaping of the 'view' parameter. Authenticated users with Contributor-level privileges or higher can inject arbitrary JavaScript code into pages via this parameter. Since the injected scripts are stored persistently, they execute whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or unauthorized actions performed in the context of the victim's browser. The CVSS 3.1 base score is 6.4, indicating medium severity, with attack vector as network, low attack complexity, privileges required, no user interaction needed, and scope changed due to impact on other users. Although no public exploits are reported yet, the vulnerability is significant because Contributor-level access is commonly granted in WordPress environments, and stored XSS can have widespread consequences. The vulnerability affects the confidentiality and integrity of user data but does not impact availability. The plugin is used in e-commerce WordPress sites, increasing the risk to online stores and their customers.

The primary impact of CVE-2025-1008 is the compromise of confidentiality and integrity within affected WordPress sites. Exploitation allows attackers to execute arbitrary JavaScript in the context of other users, potentially leading to theft of authentication cookies, session tokens, or other sensitive information. This can facilitate account takeover, unauthorized transactions, or defacement. Since the vulnerability is stored XSS, the malicious payload persists and affects multiple users, increasing the attack surface. E-commerce sites using this plugin may suffer reputational damage, loss of customer trust, and financial losses if attackers leverage the vulnerability to conduct fraud or steal payment information. The requirement for Contributor-level access limits exploitation to insiders or compromised accounts, but such access is often granted to trusted users, making insider threats or account compromise realistic. The vulnerability does not affect system availability directly but can indirectly cause service disruptions if exploited for further attacks. Organizations worldwide relying on this plugin for WooCommerce storefronts are at risk, especially those with multiple contributors or less stringent access controls.

To mitigate CVE-2025-1008, organizations should immediately update the Recently Purchased Products For Woo plugin to a patched version once available. In the absence of an official patch, administrators should restrict Contributor-level and higher privileges to trusted users only and audit existing accounts for suspicious activity. Implementing Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the 'view' parameter can reduce risk. Additionally, applying strict input validation and output encoding on the 'view' parameter within the plugin code can prevent script injection. Site administrators should enable Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Regular security scanning and monitoring for anomalous behavior related to this plugin are recommended. Finally, educating contributors about safe input practices and monitoring plugin updates from the vendor worldweb are essential to maintain security.