CVE-2025-11727 is a stored cross-site scripting vulnerability classified under CWE-79, found in the Codisto Omnichannel for WooCommerce plugin, which integrates Google, Amazon, eBay, and Walmart marketplaces. The vulnerability exists in the sync() function due to improper neutralization of input during web page generation, specifically lacking sufficient input sanitization and output escaping. This flaw allows unauthenticated attackers to inject arbitrary JavaScript code into pages rendered by the plugin. When a user visits an infected page, the malicious script executes in their browser context, potentially leading to session hijacking, credential theft, or unauthorized actions performed with the user's privileges. The vulnerability affects all plugin versions up to and including 1.3.65. The CVSS 3.1 base score is 7.2, reflecting network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and a scope change (S:C) with low confidentiality and integrity impacts but no availability impact. No patches are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability's presence in a widely used e-commerce plugin raises concerns for online retailers relying on Codisto for marketplace integrations.

The impact of CVE-2025-11727 is significant for organizations using the affected Codisto Omnichannel plugin. Successful exploitation can lead to unauthorized script execution in users' browsers, enabling attackers to steal session cookies, perform actions on behalf of users, and potentially pivot to further attacks within the affected e-commerce environment. This compromises the confidentiality and integrity of user data and transactions. Since the vulnerability requires no authentication or user interaction, it can be exploited remotely and at scale, increasing the risk of widespread attacks. E-commerce businesses could suffer reputational damage, financial loss, and regulatory penalties due to data breaches or fraudulent transactions. Additionally, customer trust may erode if personal or payment information is exposed. The scope includes all users accessing affected pages, potentially impacting both administrators and customers. The lack of availability impact means the service remains operational, but the security breach risks are high.

To mitigate CVE-2025-11727, organizations should immediately update the Codisto Omnichannel plugin to a patched version once available. In the absence of an official patch, temporary mitigations include implementing a Web Application Firewall (WAF) with custom rules to detect and block malicious payloads targeting the sync() function or suspicious script injections. Administrators should audit and sanitize all inputs related to the plugin manually, removing any suspicious or injected content from the database. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected pages. Regularly monitor web server and application logs for unusual activity indicative of exploitation attempts. Educate users and administrators about the risks of XSS and encourage the use of multi-factor authentication to reduce the impact of session hijacking. Finally, conduct thorough security testing of the WooCommerce environment and related plugins to identify and remediate similar vulnerabilities proactively.