CVE-2025-13369 is a reflected Cross-Site Scripting vulnerability identified in the Premmerce WooCommerce Customers Manager plugin for WordPress, affecting all versions up to and including 1.1.14. The vulnerability stems from insufficient sanitization and escaping of user-supplied input in the parameters 'money_spent_from', 'money_spent_to', 'registered_from', and 'registered_to' during web page generation. This improper neutralization allows an attacker to inject malicious JavaScript code into URLs that, when visited by an administrator, execute within the admin's browser context. Since the vulnerability is reflected, the attack requires the victim to click a crafted link or visit a malicious URL. The attacker does not need to be authenticated, but user interaction is necessary. The impact includes potential theft of administrator session cookies, unauthorized actions performed with admin privileges, or redirection to malicious sites, compromising confidentiality and integrity of the affected system. The CVSS v3.1 base score is 6.1, reflecting medium severity with network attack vector, low attack complexity, no privileges required, but user interaction needed, and scope change possible. No patches or exploits are currently publicly available, but the risk remains significant for sites using this plugin, especially those with high administrative activity. The vulnerability is categorized under CWE-79, a common and well-understood class of web application security issues. Organizations relying on WooCommerce and this plugin should assess exposure and implement mitigations promptly.

For European organizations, the impact of this vulnerability can be significant, particularly for e-commerce businesses using WordPress with the Premmerce WooCommerce Customers Manager plugin. Successful exploitation could allow attackers to hijack administrator sessions, leading to unauthorized access to customer data, order information, and potentially the ability to modify or delete data. This compromises confidentiality and integrity, potentially damaging customer trust and causing regulatory compliance issues under GDPR. While availability impact is low, the reputational and operational risks are considerable. Attackers could also use the vulnerability as a foothold for further attacks within the network. Given the unauthenticated nature of the exploit, attackers can target administrators via phishing or social engineering, increasing the attack surface. European organizations with high volumes of online transactions and customer data are at greater risk of financial and data breaches stemming from this vulnerability.

To mitigate CVE-2025-13369, organizations should immediately update the Premmerce WooCommerce Customers Manager plugin to a patched version once available. In the absence of an official patch, administrators should implement strict input validation and output encoding on the affected parameters at the web application firewall (WAF) or reverse proxy level to block malicious payloads. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the admin interface. Educate administrators to avoid clicking on suspicious links and implement multi-factor authentication (MFA) to reduce the impact of session hijacking. Regularly monitor logs for unusual admin activity and scan WordPress installations for signs of compromise. Consider temporarily disabling or restricting access to the plugin’s customer management features if feasible until a fix is applied. Additionally, ensure WordPress core and all plugins are kept up to date and conduct periodic security audits focusing on input sanitization.