CVE-2025-12123 is a reflected Cross-Site Scripting vulnerability identified in the Customer Reviews Collector for WooCommerce plugin for WordPress, affecting all versions up to and including 4.6.1. The vulnerability stems from improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of the 'email-text' parameter. This flaw allows unauthenticated attackers to craft malicious URLs containing JavaScript payloads that execute in the context of a victim's browser when the victim clicks the link. The attack vector is network-based with no privileges required, but it requires user interaction, such as clicking a malicious link. The vulnerability impacts the confidentiality and integrity of user data by potentially enabling theft of session cookies, redirection to malicious sites, or manipulation of displayed content. The CVSS v3.1 score is 6.1, reflecting medium severity, with the scope marked as changed due to the potential for cross-origin impact. There are no known exploits in the wild yet, and no official patches have been released at the time of publication. The plugin is widely used in WooCommerce-based e-commerce sites to collect and display customer reviews, making it a valuable target for attackers seeking to compromise user trust or steal sensitive information. The vulnerability is categorized under CWE-79, which is a common and well-understood web application security issue. Mitigation requires either applying vendor patches when available or implementing strict input validation and output encoding on the affected parameter to prevent script injection.

For European organizations, particularly those operating e-commerce platforms using WooCommerce with the Customer Reviews Collector plugin, this vulnerability poses a risk of client-side script injection leading to session hijacking, phishing, or unauthorized actions performed on behalf of users. The reflected XSS can undermine customer trust by enabling attackers to manipulate review content or redirect users to malicious sites. Confidentiality of user data such as cookies or personal information may be compromised, and integrity of displayed content can be altered, potentially damaging brand reputation and causing financial loss. Although availability is not directly impacted, the indirect effects of successful exploitation can disrupt business operations and customer relations. The medium severity rating indicates a moderate but tangible risk, especially in environments with high user interaction and customer engagement. European e-commerce businesses are increasingly targeted by cybercriminals, making timely mitigation critical to avoid exploitation. The lack of required authentication lowers the barrier for attackers, increasing the likelihood of exploitation if users can be socially engineered to click malicious links.

1. Monitor the vendor's official channels for a security patch and apply it immediately upon release. 2. Until a patch is available, implement web application firewall (WAF) rules to detect and block suspicious requests containing malicious scripts in the 'email-text' parameter. 3. Employ strict input validation on all user-supplied parameters, especially 'email-text', ensuring only expected characters and formats are accepted. 4. Apply proper output encoding/escaping in the plugin’s code to neutralize any injected scripts before rendering content in the browser. 5. Educate users and staff about phishing and social engineering risks to reduce the chance of clicking malicious links. 6. Conduct regular security audits and penetration testing focusing on web application input handling. 7. Consider disabling or replacing the vulnerable plugin with a more secure alternative if immediate patching is not feasible. 8. Use Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of XSS attacks. 9. Keep WordPress core and all plugins/themes updated to minimize exposure to known vulnerabilities.