CVE-2025-13974 is a stored cross-site scripting vulnerability identified in the Email Customizer for WooCommerce plugin for WordPress, specifically in all versions up to and including 2.6.7. The vulnerability arises from improper input sanitization and output escaping in the email template content feature, allowing an authenticated attacker with administrator-level privileges to inject arbitrary JavaScript code into email templates. This malicious code executes when customers open transactional emails generated by WooCommerce, potentially leading to theft of sensitive information such as session cookies or personal data, or performing actions on behalf of the user. The vulnerability specifically affects multisite WordPress installations or those where the unfiltered_html capability is disabled, limiting the scope of exploitation. The CVSS 3.1 base score is 4.4, indicating a medium severity level, with the vector indicating network attack vector (AV:N), high attack complexity (AC:H), requiring high privileges (PR:H), no user interaction (UI:N), and a scope change (S:C) with low confidentiality and integrity impact (C:L/I:L) and no availability impact (A:N). No public exploits have been reported yet, but the vulnerability poses a risk to customer data confidentiality and integrity if exploited. The root cause is CWE-79, improper neutralization of input during web page generation, a common web application security flaw. The lack of patch links suggests that a fix may not yet be publicly available or is pending release.

For European organizations, this vulnerability can lead to unauthorized script execution in customer transactional emails, potentially exposing sensitive customer information such as personal data or session tokens. This undermines customer trust and may violate GDPR requirements regarding data protection and breach notification. The attack requires administrator-level access, so internal threat actors or compromised admin accounts pose the greatest risk. Multisite WordPress installations, common in larger enterprises or agencies managing multiple sites, are particularly vulnerable. Exploitation could facilitate phishing or session hijacking attacks targeting European customers, impacting brand reputation and possibly resulting in regulatory penalties. Although the CVSS score is medium, the scoped confidentiality and integrity impacts combined with the potential for customer data exposure make this a significant concern for e-commerce businesses operating in Europe. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially given the widespread use of WooCommerce in the European market.

European organizations should immediately audit their WordPress environments to identify multisite installations or configurations where unfiltered_html is disabled and the Email Customizer for WooCommerce plugin is installed. Until a patch is available, restrict administrator access to trusted personnel only and monitor for suspicious admin activity. Implement Content Security Policy (CSP) headers to limit script execution in emails and browsers. Consider disabling or limiting the use of the vulnerable email template customization feature. Regularly update WordPress core, plugins, and themes to the latest versions once a patch is released. Employ web application firewalls (WAFs) with rules to detect and block XSS payloads in admin inputs. Conduct security awareness training for administrators on the risks of injecting untrusted content. Finally, review email rendering practices and consider sanitizing or stripping scripts from emails before delivery to customers.