CVE-2025-12191 is a stored Cross-Site Scripting (XSS) vulnerability identified in the PDF Catalog for WooCommerce plugin for WordPress, affecting all versions up to and including 1.1.18. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically within the 'pdfcatalog' AJAX action. Authenticated attackers with at least Subscriber-level privileges can inject arbitrary JavaScript code due to insufficient input sanitization and lack of proper output escaping. When other users access the affected pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the WordPress environment. The vulnerability has a CVSS v3.1 base score of 5.4, indicating medium severity, with an attack vector of network (remote), low attack complexity, requiring privileges (PR:L), and user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the vulnerable component. No public exploits are known at this time, but the risk remains significant given the widespread use of WooCommerce and the plugin in e-commerce sites. The vulnerability was published on December 5, 2025, and no official patches have been linked yet. The flaw is particularly dangerous because it allows attackers with minimal privileges to compromise other users, including administrators, through stored malicious scripts embedded in catalog pages generated by the plugin.

For European organizations, this vulnerability poses a risk to the confidentiality and integrity of user sessions and data on WooCommerce-based e-commerce platforms using the vulnerable plugin. Attackers could leverage the XSS flaw to hijack administrator sessions, manipulate product catalogs, or inject malicious content, potentially damaging brand reputation and customer trust. The vulnerability does not directly impact availability but could facilitate further attacks that do. Given the prevalence of WooCommerce in European e-commerce, especially in countries with mature online retail sectors, the threat could affect a wide range of businesses from SMEs to large enterprises. Compromise could lead to data breaches involving customer information, financial fraud, or unauthorized changes to product offerings. The requirement for authenticated access limits exposure but does not eliminate risk, as subscriber-level accounts are common and often less protected. The lack of known exploits suggests a window for proactive mitigation before widespread exploitation occurs.

Organizations should monitor for an official patch from ovologics and apply it immediately upon release. Until then, implement strict input validation and output encoding on the 'pdfcatalog' AJAX action to prevent script injection. Restrict user roles and permissions to minimize the number of users with Subscriber-level or higher access, and enforce strong authentication policies such as multi-factor authentication to reduce account compromise risk. Conduct regular security audits of WordPress plugins and monitor logs for suspicious AJAX requests related to 'pdfcatalog'. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block XSS payloads targeting this plugin. Educate users about phishing and social engineering risks that could lead to account takeover. Finally, maintain regular backups and incident response plans tailored to web application attacks.