CVE-2025-13387 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Kadence WooCommerce Email Designer plugin for WordPress, maintained by stellarwp. This vulnerability affects all versions up to and including 1.5.17. The root cause is insufficient sanitization and escaping of the customer name input field during web page generation, which allows attackers to inject arbitrary JavaScript code that is stored persistently. Because the vulnerability is stored XSS, the malicious payload executes every time a user views the affected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of the user. Notably, the vulnerability can be exploited by unauthenticated attackers without any user interaction, increasing its risk profile. The CVSS v3.1 score is 7.2 (High), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and a scope change with partial confidentiality and integrity impact but no availability impact. Although no public exploits have been reported yet, the vulnerability is critical due to the widespread use of WooCommerce and WordPress in e-commerce environments. The plugin’s role in designing WooCommerce emails means that injected scripts could affect administrators or customers viewing order confirmation or notification emails rendered in the browser, expanding the attack surface. The lack of available patches at the time of publication necessitates immediate mitigation efforts by affected organizations.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of customer and administrative data. Exploitation could lead to theft of session cookies, enabling account takeover, unauthorized actions within the e-commerce platform, and potential spread of malware or phishing attacks via compromised email templates. Given the critical role of WooCommerce in European e-commerce, successful exploitation could disrupt business operations, damage customer trust, and lead to regulatory non-compliance under GDPR due to data breaches. The vulnerability’s ability to be exploited without authentication or user interaction increases the likelihood of automated attacks targeting vulnerable sites. Additionally, attackers could leverage this flaw to pivot to other parts of the network or escalate privileges, especially if administrative users are targeted. The absence of known exploits currently provides a window for proactive defense, but the high severity score and the commonality of the affected plugin underscore the urgency for European organizations to act swiftly.

1. Immediate upgrade: Monitor for official patches from stellarwp and apply them as soon as they become available. 2. Input validation: Implement additional server-side input validation and sanitization for customer name fields at the application or web server level to block malicious scripts. 3. Content Security Policy (CSP): Deploy strict CSP headers to restrict the execution of unauthorized scripts in browsers, mitigating the impact of injected XSS payloads. 4. Web Application Firewall (WAF): Configure WAF rules to detect and block common XSS attack patterns targeting the vulnerable plugin endpoints. 5. User privilege management: Limit administrative access and enforce multi-factor authentication to reduce the risk of session hijacking consequences. 6. Monitoring and logging: Enable detailed logging of web requests and monitor for unusual activity indicative of XSS exploitation attempts. 7. Educate users: Inform administrators and users about the risk of suspicious scripts or unexpected behavior in WooCommerce emails. 8. Temporary disablement: If patching is delayed, consider disabling the Kadence WooCommerce Email Designer plugin until a fix is available to eliminate the attack vector.