CVE-2025-12191 identifies a stored Cross-Site Scripting (XSS) vulnerability in the PDF Catalog for WooCommerce plugin for WordPress, specifically in versions up to and including 1.1.18. The vulnerability arises from improper neutralization of input during web page generation, classified under CWE-79. The flaw exists in the 'pdfcatalog' AJAX action, where insufficient input sanitization and output escaping allow authenticated users with Subscriber-level privileges or higher to inject arbitrary JavaScript code. This malicious code is stored persistently and executed in the context of any user who views the affected page, enabling potential attacks such as session hijacking, defacement, or unauthorized actions performed with the victim's privileges. The vulnerability requires authentication and user interaction to trigger but can affect the confidentiality and integrity of user data and site operations. The CVSS 3.1 base score is 5.4, reflecting a medium severity with network attack vector, low attack complexity, and partial scope impact. No patches or known exploits are currently available, making timely mitigation critical. The vulnerability affects all versions of the plugin up to 1.1.18, widely used in WooCommerce-based e-commerce sites.

The impact of CVE-2025-12191 is significant for organizations running WooCommerce with the vulnerable PDF Catalog plugin. Successful exploitation can lead to unauthorized script execution in users' browsers, resulting in session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of users. This can compromise customer data confidentiality and site integrity, potentially damaging brand reputation and customer trust. Since the vulnerability requires authenticated access, attackers may leverage compromised or low-privilege accounts to escalate their impact. The stored nature of the XSS means the malicious payload persists and affects multiple users, increasing the attack surface. E-commerce platforms are particularly sensitive to such attacks due to the financial and personal data involved. Although no known exploits are reported yet, the medium severity and ease of exploitation suggest a credible risk that could be exploited in targeted attacks or automated scanning campaigns.

To mitigate CVE-2025-12191, organizations should immediately update the PDF Catalog for WooCommerce plugin to a patched version once available. In the absence of an official patch, administrators should restrict Subscriber-level users from accessing the 'pdfcatalog' AJAX action or disable the plugin if not essential. Implementing a Web Application Firewall (WAF) with rules to detect and block malicious script injections targeting the plugin's AJAX endpoints can provide temporary protection. Additionally, review and harden user role permissions to minimize unnecessary access. Conduct thorough input validation and output encoding on all user-supplied data related to the plugin, ideally by customizing or extending the plugin code if feasible. Regularly audit logs and monitor for unusual activity indicative of exploitation attempts. Educate users about phishing and social engineering risks that could lead to credential compromise, as authenticated access is required for exploitation.