CVE-2025-10167 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Stock History & Reports Manager for WooCommerce plugin for WordPress, affecting all versions up to and including 2.2.1. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically within the 'alg_wc_stock_snapshot_restocked' shortcode. This shortcode fails to adequately sanitize and escape user-supplied attributes, allowing authenticated attackers with contributor-level privileges or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress environment. The vulnerability does not require user interaction beyond viewing the injected page and has a CVSS 3.1 base score of 6.4, reflecting medium severity. The attack vector is network-based with low attack complexity, requiring privileges but no user interaction. No public exploits have been reported yet. This vulnerability is particularly concerning for e-commerce websites using WooCommerce and this plugin, as it could be leveraged to compromise administrative accounts or customer data. The scope is limited to installations where the vulnerable plugin is active and accessible to authenticated users with contributor or higher roles.

For European organizations, especially those operating e-commerce platforms on WordPress with WooCommerce and the vulnerable plugin, this vulnerability poses a significant risk. Successful exploitation can lead to unauthorized script execution in the context of the affected website, enabling attackers to hijack user sessions, steal sensitive data, or perform actions on behalf of legitimate users. This can result in data breaches, loss of customer trust, financial fraud, and reputational damage. Given the medium severity and requirement for contributor-level access, insider threats or compromised accounts pose a particular risk. The impact on confidentiality and integrity is notable, while availability is less affected. Organizations with large user bases or handling sensitive customer information are at higher risk. The vulnerability could also be leveraged as a foothold for further attacks within the network. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits post-disclosure.

1. Monitor for and apply official patches or updates from wpcodefactory as soon as they are released to address CVE-2025-10167. 2. Until patches are available, restrict contributor-level and higher access to trusted users only, minimizing the risk of malicious shortcode injection. 3. Implement additional input validation and output encoding at the application or web server level to mitigate XSS risks, such as using Content Security Policy (CSP) headers to restrict script execution. 4. Regularly audit user roles and permissions to ensure least privilege principles are enforced. 5. Employ Web Application Firewalls (WAFs) configured to detect and block XSS payloads targeting the vulnerable shortcode. 6. Educate administrators and content contributors about the risks of injecting untrusted content and encourage safe content management practices. 7. Monitor logs and website behavior for unusual activity indicative of exploitation attempts. 8. Consider isolating or disabling the vulnerable plugin if it is not essential to reduce attack surface.