CVE-2025-10167 is a stored cross-site scripting vulnerability identified in the Stock History & Reports Manager for WooCommerce plugin for WordPress, affecting all versions up to and including 2.2.1. The vulnerability stems from improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of user-supplied attributes in the 'alg_wc_stock_snapshot_restocked' shortcode. Authenticated attackers with contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into pages that utilize this shortcode. Because the malicious script is stored, it executes every time any user accesses the infected page, potentially leading to session hijacking, unauthorized actions, or privilege escalation within the WordPress environment. The attack vector is remote over the network, with low attack complexity, but requires the attacker to have at least contributor privileges, and no user interaction is needed for exploitation. The vulnerability impacts confidentiality and integrity but not availability, and the scope is confined to WordPress sites running the vulnerable plugin. No known exploits are currently reported in the wild, but the risk remains significant due to the widespread use of WooCommerce and the plugin in e-commerce environments. The CVSS 3.1 base score is 6.4, reflecting medium severity. The vulnerability was reserved in September 2025 and published in October 2025. No official patches have been linked yet, so mitigation relies on access control and input validation measures.

For European organizations, this vulnerability poses a moderate risk primarily to e-commerce platforms using WooCommerce with the affected plugin. Exploitation can lead to unauthorized script execution, enabling attackers to hijack user sessions, steal sensitive data such as authentication tokens, or perform actions on behalf of legitimate users. This can undermine customer trust, lead to data breaches involving personal and payment information, and cause reputational damage. Since contributors can inject malicious code, insider threats or compromised contributor accounts increase risk. The vulnerability does not directly impact system availability but can facilitate further attacks that degrade service or compromise integrity. Given the prominence of WooCommerce in European e-commerce, especially in countries with large online retail sectors, the threat could affect a significant number of businesses. Compliance with GDPR and other data protection regulations means that exploitation could also result in legal and financial penalties if personal data is exposed.

1. Monitor for and apply official patches or updates from the plugin vendor as soon as they become available. 2. Until patched, restrict contributor-level permissions to trusted users only, minimizing the risk of malicious shortcode injection. 3. Implement additional input validation and output encoding at the WordPress theme or plugin level to sanitize shortcode attributes before rendering. 4. Employ Web Application Firewalls (WAFs) configured to detect and block common XSS payloads targeting WordPress shortcodes. 5. Conduct regular security audits and code reviews of custom shortcodes and plugins to identify similar vulnerabilities. 6. Educate content contributors about the risks of injecting untrusted content and enforce strict content submission policies. 7. Use security plugins that can detect and alert on suspicious script injections or changes in shortcode content. 8. Maintain regular backups of website data to enable quick restoration in case of compromise.