The Premmerce WooCommerce Customers Manager plugin, widely used in WordPress e-commerce sites to manage customer data, contains a reflected Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-13369. This vulnerability stems from improper neutralization of input during web page generation (CWE-79). Specifically, the plugin fails to adequately sanitize and escape the 'money_spent_from', 'money_spent_to', 'registered_from', and 'registered_to' URL parameters. An attacker can craft malicious URLs embedding JavaScript payloads in these parameters. When an administrator or privileged user clicks such a link, the injected script executes within their browser context, potentially allowing session hijacking, privilege escalation, or unauthorized actions on the WordPress admin dashboard. The vulnerability is exploitable remotely without authentication but requires user interaction (clicking the malicious link). The CVSS 3.1 base score is 6.1, reflecting medium severity with network attack vector, low attack complexity, no privileges required, but user interaction needed. The scope is changed (S:C), indicating the vulnerability can affect resources beyond the vulnerable component. No public exploits are currently known, but the plugin's widespread use in WooCommerce environments makes it a notable risk. The vulnerability affects all versions up to and including 1.1.14, and no official patches have been linked yet. The issue was reserved in late 2025 and published in early 2026, indicating recent discovery.

For European organizations, this vulnerability poses a risk primarily to e-commerce platforms running WordPress with the Premmerce WooCommerce Customers Manager plugin. Successful exploitation can lead to unauthorized script execution in administrator browsers, potentially resulting in session hijacking, theft of sensitive customer data, unauthorized changes to customer records, or further compromise of the WordPress environment. This can damage customer trust, lead to regulatory non-compliance (e.g., GDPR violations due to data exposure), and cause financial and reputational harm. Since WooCommerce is popular across Europe, especially in countries with strong e-commerce sectors like Germany, the UK, France, and the Netherlands, the impact can be significant. The requirement for user interaction (administrator clicking a malicious link) somewhat limits the attack surface but does not eliminate risk, especially in targeted phishing campaigns. The vulnerability does not affect availability directly but compromises confidentiality and integrity, which are critical for customer data management systems.

European organizations should immediately audit their WordPress installations to identify the presence of the Premmerce WooCommerce Customers Manager plugin and its version. Until an official patch is released, administrators should implement strict input validation and output encoding at the web application firewall (WAF) level to block malicious payloads in the affected parameters. Employ Content Security Policy (CSP) headers to restrict script execution origins and reduce XSS impact. Educate administrators about phishing risks and the dangers of clicking untrusted links. Limit administrator access and use multi-factor authentication to reduce the risk of session hijacking. Monitor logs for suspicious URL access patterns involving the vulnerable parameters. Regularly update the plugin once a patch is available. Consider temporarily disabling or replacing the plugin if feasible to eliminate exposure. Additionally, use security plugins that detect and block XSS attempts and keep WordPress core and all plugins updated to minimize attack surface.