CVE-2025-10191 is a stored cross-site scripting (XSS) vulnerability found in the Big Post Shipping for WooCommerce plugin for WordPress, affecting all versions up to and including 2.1.1. The vulnerability arises from improper neutralization of user-supplied input in the 'wooboigpost_shipping_status' shortcode, where insufficient input sanitization and lack of output escaping allow authenticated users with contributor-level privileges or higher to inject arbitrary JavaScript code. This malicious code is stored persistently and executed in the context of any user who accesses the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The CVSS 3.1 base score is 6.4, reflecting medium severity, with an attack vector of network, low attack complexity, requiring privileges (contributor or above), no user interaction, and scope change due to impact on other users. Although no known exploits are reported in the wild, the vulnerability poses a significant risk to websites using this plugin, especially those with multiple authenticated users. The flaw is rooted in CWE-79, a common web application security issue related to cross-site scripting. The plugin is widely used in WooCommerce environments, which are popular in e-commerce platforms worldwide. The vulnerability can be exploited remotely by authenticated users without requiring victim interaction beyond page access. The lack of a patch link suggests that a fix may not yet be publicly available, increasing the urgency for interim mitigations.

For European organizations, especially e-commerce businesses using WooCommerce with the Big Post Shipping plugin, this vulnerability can lead to session hijacking, unauthorized actions, and potential data leakage through the execution of malicious scripts in users' browsers. This undermines customer trust, may lead to regulatory non-compliance under GDPR due to potential data breaches, and can disrupt business operations. Attackers with contributor-level access—often employees or third-party contractors—could exploit this to escalate privileges or manipulate order and shipping data. The persistent nature of stored XSS means that once injected, the malicious code affects all users accessing the compromised page, amplifying the impact. Given the widespread use of WooCommerce in Europe, the threat could affect a significant number of online retailers, potentially leading to financial losses and reputational damage.

Organizations should immediately audit their WordPress installations to identify the presence of the Big Post Shipping for WooCommerce plugin and verify its version. Until an official patch is released, restrict contributor-level access to trusted users only and monitor for suspicious activity. Implement web application firewall (WAF) rules to detect and block malicious payloads targeting the 'wooboigpost_shipping_status' shortcode. Employ strict input validation and output encoding on all user-supplied data related to this plugin, possibly via custom code or security plugins that sanitize shortcode attributes. Regularly review user-generated content for injected scripts and remove any suspicious entries. Additionally, ensure that WordPress core, themes, and other plugins are up to date to reduce overall attack surface. Prepare to apply the official patch promptly once available and communicate with stakeholders about the risk and mitigation steps.