CVE-2025-13974 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, found in the Email Customizer for WooCommerce plugin for WordPress, specifically in all versions up to and including 2.6.7. The vulnerability stems from improper neutralization of input during web page generation, where the plugin fails to adequately sanitize and escape user-supplied content in email templates. This flaw allows authenticated users with administrator-level privileges on multisite WordPress installations—where the unfiltered_html capability is disabled—to inject arbitrary JavaScript code into email templates. When customers receive and view these transactional emails, the malicious scripts execute in their browsers, potentially leading to session hijacking, theft of sensitive information, or redirection to malicious sites. The vulnerability is limited to multisite WordPress setups, which are commonly used by larger organizations or service providers managing multiple sites under one installation. The attack requires high privileges (administrator) and does not require user interaction beyond viewing the email. The CVSS v3.1 base score is 4.4, indicating medium severity, with attack vector network, high attack complexity, and privileges required. No public exploits have been reported yet, but the vulnerability poses a risk to customer security and trust if exploited. No official patches were linked at the time of publication, so mitigation may require plugin updates or configuration changes.

The primary impact of this vulnerability is on the confidentiality and integrity of customer data. Exploiting the stored XSS allows attackers to execute arbitrary scripts in the context of the victim's browser when viewing transactional emails, potentially leading to session hijacking, credential theft, or unauthorized actions on customer accounts. This can erode customer trust and damage the reputation of affected organizations. Since the vulnerability requires administrator privileges on multisite WordPress installations, the risk is somewhat contained within organizations that have such configurations. However, WooCommerce is widely used in e-commerce, and multisite setups are common in agencies or enterprises managing multiple storefronts. The lack of user interaction requirement beyond email viewing increases the risk to customers receiving these emails. The vulnerability does not affect availability but can lead to significant data breaches or fraud. Organizations failing to address this issue may face regulatory penalties if customer data is compromised.

Organizations should immediately verify if they are running multisite WordPress installations with the Email Customizer for WooCommerce plugin version 2.6.7 or earlier. Since no official patch links were provided, administrators should monitor the vendor's site for updates and apply patches as soon as they become available. In the interim, restrict administrator access to trusted personnel only and audit existing email templates for suspicious or unauthorized scripts. Consider disabling or limiting the use of the Email Customizer plugin in multisite environments if possible. Additionally, enable Content Security Policy (CSP) headers to reduce the impact of injected scripts. Review and harden WordPress security settings, including the use of security plugins that can detect and block XSS payloads. Educate administrators on safe template editing practices and monitor outgoing emails for anomalies. Finally, ensure customers are informed about potential phishing risks and encourage them to report suspicious emails.