CVE-2025-10167 is a stored cross-site scripting (XSS) vulnerability identified in the Stock History & Reports Manager for WooCommerce plugin for WordPress, specifically affecting all versions up to and including 2.2.1. The vulnerability stems from improper neutralization of input during web page generation, classified under CWE-79. The plugin's 'alg_wc_stock_snapshot_restocked' shortcode fails to adequately sanitize and escape user-supplied attributes, allowing authenticated users with contributor-level permissions or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored, it executes every time a user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability requires no user interaction beyond visiting the affected page but does require the attacker to have contributor or higher privileges, which limits exploitation to insiders or compromised accounts. The CVSS 3.1 base score is 6.4 (medium severity), with an attack vector of network, low attack complexity, privileges required, no user interaction, and a scope change indicating that the vulnerability affects resources beyond the initially vulnerable component. No known exploits have been reported in the wild, and no official patches are currently linked, emphasizing the need for proactive mitigation. This vulnerability is particularly relevant to e-commerce sites using WooCommerce and this plugin, which are widely deployed on WordPress platforms worldwide.

The impact of CVE-2025-10167 can be significant for organizations relying on the affected WooCommerce plugin. Successful exploitation allows attackers with contributor-level access to inject persistent malicious scripts, which execute in the context of any user visiting the infected page. This can lead to session hijacking, theft of sensitive information such as authentication tokens, unauthorized actions performed on behalf of users, and potential privilege escalation if administrative users are targeted. For e-commerce sites, this could result in compromised customer data, fraudulent transactions, and reputational damage. Although exploitation requires authenticated access, contributor-level permissions are commonly granted to content creators or third-party collaborators, increasing the attack surface. The vulnerability does not directly affect availability but compromises confidentiality and integrity of data and user sessions. Given the widespread use of WordPress and WooCommerce, many small to medium-sized businesses globally could be affected, especially those not employing strict access controls or monitoring. The absence of known exploits currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability becomes publicly known.

To mitigate CVE-2025-10167, organizations should take several specific steps beyond generic advice: 1) Immediately review and restrict contributor-level access to trusted users only, minimizing the number of accounts that can exploit this vulnerability. 2) Implement strict input validation and output escaping on all shortcode attributes if custom modifications are possible, or temporarily disable the vulnerable shortcode until a patch is available. 3) Monitor WordPress logs and user activity for unusual behavior indicative of XSS exploitation attempts, such as unexpected script injections or changes in page content. 4) Employ Web Application Firewalls (WAFs) with rules designed to detect and block XSS payloads targeting the affected shortcode parameters. 5) Encourage users to update the plugin promptly once the vendor releases a security patch. 6) Educate content contributors about the risks of uploading untrusted content or scripts. 7) Consider isolating or sandboxing administrative and contributor sessions to limit the impact of potential script execution. These targeted actions will reduce the risk of exploitation until an official patch is deployed.