The Premmerce WooCommerce Customers Manager plugin for WordPress suffers from a reflected Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-13369. This vulnerability is caused by improper neutralization of user-supplied input during web page generation, specifically in the handling of the 'money_spent_from', 'money_spent_to', 'registered_from', and 'registered_to' URL parameters. These parameters are not adequately sanitized or escaped before being reflected in the plugin's pages, allowing an attacker to inject arbitrary JavaScript code. Since the vulnerability is reflected, the malicious payload is delivered via a crafted URL that must be clicked by an administrator or user with sufficient privileges, leading to script execution in their browser context. This can result in session hijacking, privilege escalation, or unauthorized actions performed with the administrator's credentials. The vulnerability affects all versions up to and including 1.1.14 of the plugin. The CVSS 3.1 score of 6.1 indicates a medium severity with a network attack vector, low attack complexity, no privileges required, but user interaction is necessary. No patches or fixes are currently linked, and no known exploits are reported in the wild, but the risk remains significant due to the potential impact on administrative accounts and site integrity.

The primary impact of this vulnerability is the potential compromise of administrative accounts through session hijacking or theft of authentication tokens, which can lead to unauthorized access and control over the WordPress site. Attackers can execute arbitrary scripts in the context of the administrator's browser, enabling them to manipulate site content, steal sensitive customer data, or perform administrative actions without authorization. This undermines the confidentiality and integrity of the affected systems. Although availability is not directly impacted, the resulting unauthorized changes could disrupt business operations. Organizations relying on WooCommerce and this plugin for customer management are at risk of data breaches, reputational damage, and compliance violations. The requirement for user interaction limits mass exploitation but targeted phishing or social engineering attacks against administrators can be highly effective. The vulnerability is particularly concerning for e-commerce sites handling sensitive customer and financial data.

Organizations should immediately update the Premmerce WooCommerce Customers Manager plugin to a version that addresses this vulnerability once available. In the absence of an official patch, administrators should implement strict input validation and output encoding for the affected parameters at the web application firewall (WAF) or reverse proxy level to block malicious payloads. Restrict administrative access to trusted IP addresses and enforce multi-factor authentication (MFA) to reduce the risk of account compromise. Educate administrators about phishing risks and the dangers of clicking untrusted links. Regularly audit plugin usage and monitor logs for suspicious URL parameters or unusual administrator activity. Consider temporarily disabling or replacing the plugin if a timely patch is not available. Employ Content Security Policy (CSP) headers to limit the impact of injected scripts. Finally, maintain regular backups and incident response plans to recover quickly if exploitation occurs.