CVE-2025-13387 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the Kadence WooCommerce Email Designer plugin for WordPress, developed by stellarwp. This vulnerability affects all versions up to and including 1.5.17. The root cause is insufficient input sanitization and output escaping of the customer name field during web page generation. An unauthenticated attacker can exploit this flaw by injecting arbitrary JavaScript code into the customer name input, which is then stored and rendered in email templates or pages generated by the plugin. When a user views the affected page or email, the malicious script executes in their browser context, potentially allowing attackers to steal session cookies, perform actions on behalf of the user, or deliver further malware. The vulnerability has a CVSS 3.1 base score of 7.2, indicating high severity, with an attack vector of network (remote), low attack complexity, no privileges required, and no user interaction needed. The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. While no public exploits are currently known, the vulnerability's nature and the popularity of WooCommerce and WordPress make it a significant risk. The lack of available patches at the time of disclosure necessitates immediate attention from administrators to apply mitigations or monitor for updates.

The impact of CVE-2025-13387 is primarily on the confidentiality and integrity of affected systems. Successful exploitation allows attackers to execute arbitrary scripts in the context of users viewing compromised pages or emails, potentially leading to session hijacking, credential theft, unauthorized actions, and distribution of malware. This can result in data breaches, loss of customer trust, and reputational damage for organizations using the vulnerable plugin. Since the vulnerability requires no authentication or user interaction, it can be exploited at scale by automated attacks. E-commerce sites relying on WooCommerce and the Kadence Email Designer plugin are particularly at risk, as attackers can target customers and administrators alike. The scope change indicates that the vulnerability can affect components beyond the plugin itself, potentially impacting the broader WordPress environment. Although no known exploits exist yet, the high CVSS score and ease of exploitation suggest that attackers may develop exploits soon, increasing the urgency for mitigation.

Organizations should immediately audit their WordPress installations to identify the presence of the Kadence WooCommerce Email Designer plugin and its version. Until an official patch is released, administrators should consider the following mitigations: 1) Disable or deactivate the plugin if feasible to eliminate the attack surface. 2) Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the customer name field, focusing on script tags and common XSS payloads. 3) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 4) Regularly monitor logs and user reports for signs of suspicious activity or unexpected script execution. 5) Educate users and administrators about the risk and encourage cautious handling of emails and pages generated by the plugin. Once a patch becomes available, prioritize prompt updating of the plugin to the fixed version. Additionally, review and harden input validation and output encoding practices across all plugins and themes to reduce the risk of similar vulnerabilities.