CVE-2025-12398 is a reflected cross-site scripting vulnerability classified under CWE-79 found in the Product Table for WooCommerce plugin for WordPress, maintained by codersaiful. The vulnerability exists in all versions up to and including 5.0.8 due to insufficient input sanitization and output escaping of the 'search_key' parameter. This parameter is used during web page generation, and because it is not properly neutralized, an attacker can craft a malicious URL containing executable JavaScript code. When a victim clicks on such a link, the injected script executes in the context of the victim's browser, potentially leading to theft of cookies, session tokens, or other sensitive information, as well as manipulation of the displayed content. The attack does not require authentication but does require user interaction (clicking the malicious link). The vulnerability affects the confidentiality and integrity of user data but does not impact availability. The CVSS 3.1 score of 6.1 reflects a medium severity with network attack vector, low attack complexity, no privileges required, user interaction required, and scope changed due to the impact on user sessions. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability is significant for websites using WooCommerce with this plugin, especially those with high user traffic and e-commerce transactions.

The primary impact of this vulnerability is on the confidentiality and integrity of user data on affected websites. Successful exploitation can lead to theft of session cookies, enabling attackers to impersonate users, including administrators, potentially leading to unauthorized actions or data disclosure. It can also facilitate phishing attacks by modifying page content or redirecting users to malicious sites. While availability is not directly affected, the reputational damage and loss of customer trust can be substantial for e-commerce businesses. Since the vulnerability is exploitable remotely without authentication, any visitor to a compromised site is at risk if tricked into clicking a malicious link. This can lead to widespread exploitation if attackers distribute crafted URLs via email or social media. Organizations relying on this plugin for product display in WooCommerce stores face increased risk of customer data compromise and potential regulatory penalties if personal data is exposed.

Organizations should immediately update the Product Table for WooCommerce plugin to a version that addresses this vulnerability once available. In the absence of an official patch, implement web application firewall (WAF) rules to detect and block malicious payloads targeting the 'search_key' parameter. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Sanitize and validate all user inputs at the application level, especially parameters reflected in web pages. Educate users and staff about the risks of clicking unsolicited links. Monitor web server logs for suspicious requests containing script tags or unusual query parameters. Consider disabling or replacing the vulnerable plugin if a timely patch is not available. Regularly audit and update all WordPress plugins to minimize exposure to known vulnerabilities.