CVE-2025-13137 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the Live Sales Notification for Woocommerce – Woomotiv plugin for WordPress, which is widely used to display real-time sales notifications on e-commerce websites. The vulnerability stems from improper neutralization of input during web page generation, specifically in the handling of the 'woomotiv_limit' parameter. Versions up to and including 3.6.3 fail to adequately sanitize and escape this parameter, allowing attackers to inject arbitrary JavaScript code. Since the vulnerability is reflected, the malicious payload is embedded in a crafted URL or request that, when clicked or visited by a user, causes the injected script to execute in the context of the victim's browser. This can lead to theft of session cookies, user impersonation, or unauthorized actions performed on behalf of the user. The vulnerability does not require authentication, increasing its risk profile, but does require user interaction (clicking a malicious link). The CVSS v3.1 base score is 6.1, reflecting medium severity with network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality and integrity but not availability. No public exploits have been reported yet. The vulnerability affects all versions of the plugin up to 3.6.3, and no official patch links are currently available. The issue was reserved and published in late 2025 by Wordfence, a reputable security vendor. Given the widespread use of WordPress and Woocommerce in e-commerce, this vulnerability poses a significant risk to online retailers using this plugin to enhance sales notifications.

For European organizations, particularly those operating e-commerce websites using WordPress and the Woocommerce platform with the Live Sales Notification for Woomotiv plugin, this vulnerability can lead to significant security risks. Successful exploitation can result in session hijacking, enabling attackers to impersonate legitimate users, potentially including customers or administrators. This can lead to unauthorized access to sensitive customer data, manipulation of orders, or fraudulent transactions, impacting confidentiality and integrity. Although availability is not directly affected, reputational damage and loss of customer trust can have substantial business consequences. The vulnerability's requirement for user interaction means phishing or social engineering campaigns could be used to lure victims, increasing the threat surface. European organizations with high volumes of online transactions, especially in countries with mature e-commerce markets, face elevated risks. Regulatory implications under GDPR may also arise if customer data is compromised, leading to potential fines and legal consequences.

1. Monitor the plugin vendor's official channels for a security patch and apply updates immediately once available. 2. Until a patch is released, implement Web Application Firewall (WAF) rules that specifically detect and block malicious payloads targeting the 'woomotiv_limit' parameter to prevent exploitation. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on web pages. 4. Conduct regular security awareness training for staff and customers to recognize phishing attempts and suspicious links. 5. Review and harden input validation and output encoding practices on the website, especially for user-controllable parameters. 6. Consider temporarily disabling or replacing the vulnerable plugin if patching or mitigation is not feasible in the short term. 7. Monitor web server and application logs for unusual requests or patterns indicative of attempted exploitation. 8. Use security plugins or services that provide XSS detection and prevention capabilities tailored for WordPress environments.