CVE-2025-1064 is a stored cross-site scripting vulnerability classified under CWE-79, affecting the Login/Signup Popup (Inline Form + Woocommerce) WordPress plugin developed by xootix. The vulnerability exists due to insufficient sanitization and escaping of user-supplied input in the plugin's xoo_el_action shortcode, which is used to generate web page content. Authenticated users with contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages. Because the injected scripts are stored persistently, they execute whenever any user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability affects all plugin versions up to and including 2.8.5. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No public exploits have been reported yet, but the vulnerability's nature makes it a significant risk for websites relying on this plugin, especially those with multiple contributors. The flaw highlights the importance of proper input validation and output encoding in web applications to prevent XSS attacks.

The primary impact of this vulnerability is the potential for stored XSS attacks, which can lead to session hijacking, theft of sensitive user data such as cookies or credentials, defacement of web pages, and unauthorized actions performed on behalf of legitimate users. For e-commerce sites using WooCommerce, this could result in fraudulent transactions or compromise of customer information. Since the vulnerability requires contributor-level access, attackers must first gain some level of authenticated access, which limits exposure but still poses a significant risk in environments with multiple contributors or weak access controls. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially vulnerable component, potentially impacting the entire website's confidentiality and integrity. Organizations worldwide running WordPress sites with this plugin are at risk of reputational damage, financial loss, and regulatory penalties if customer data is compromised.

To mitigate this vulnerability, organizations should immediately update the Login/Signup Popup (Inline Form + Woocommerce) plugin to a patched version once released by the vendor. In the absence of an official patch, administrators should restrict contributor-level access to trusted users only and audit existing user roles and permissions to minimize risk. Implementing a web application firewall (WAF) with rules to detect and block XSS payloads targeting the xoo_el_action shortcode can provide temporary protection. Additionally, site administrators should review and sanitize any user-generated content inserted via this shortcode and consider disabling or removing the plugin if it is not essential. Regular security audits and monitoring for unusual activity or injected scripts can help detect exploitation attempts early. Finally, educating contributors about secure input practices and the risks of XSS can reduce inadvertent exploitation.