CVE-2025-13137 is a reflected Cross-Site Scripting (XSS) vulnerability identified in the Live Sales Notification for Woocommerce – Woomotiv plugin for WordPress, affecting all versions up to and including 3.6.3. The vulnerability stems from improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of the 'woomotiv_limit' parameter. This flaw allows unauthenticated attackers to craft malicious URLs containing JavaScript payloads that, when clicked by a victim, execute arbitrary scripts in the context of the victim's browser session. The vulnerability is classified under CWE-79, indicating a failure to properly sanitize user input before including it in web pages. The CVSS v3.1 base score is 6.1, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, but requiring user interaction and impacting confidentiality and integrity with a scope change. While no known exploits are currently reported in the wild, the vulnerability poses a risk to WordPress sites using this plugin, particularly e-commerce sites relying on WooCommerce for live sales notifications. Attackers could leverage this to steal session cookies, perform actions on behalf of users, or conduct phishing attacks. The vulnerability affects a widely used e-commerce plugin, increasing the potential attack surface. The lack of available patches at the time of disclosure necessitates immediate mitigation steps by administrators.

The primary impact of CVE-2025-13137 is on the confidentiality and integrity of user data on affected WordPress sites. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of a victim's browser, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of the user. This can undermine customer trust, lead to data breaches, and facilitate further attacks such as phishing or malware distribution. Although the vulnerability does not directly affect availability, the resulting compromise could lead to reputational damage and financial losses for e-commerce businesses. Given the widespread use of WooCommerce and its plugins, a large number of online stores globally could be targeted, especially those that have not updated or mitigated this vulnerability. The requirement for user interaction (clicking a malicious link) somewhat limits automated exploitation but does not eliminate risk, particularly in phishing-prone environments.

1. Apply official patches or updates from the plugin vendor as soon as they become available to address the input sanitization and output escaping issues. 2. Until patches are released, implement Web Application Firewall (WAF) rules to detect and block malicious payloads targeting the 'woomotiv_limit' parameter. 3. Employ strict input validation and output encoding on all user-controllable parameters within the plugin code if custom modifications are possible. 4. Configure Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. 5. Educate users and administrators about phishing risks and encourage caution when clicking on unsolicited links. 6. Regularly audit and monitor web server logs for suspicious requests containing unusual parameters or script tags. 7. Consider temporarily disabling the Live Sales Notification feature if immediate patching is not feasible and the risk is deemed high. 8. Use security plugins that provide XSS protection and scanning capabilities for WordPress environments.