CVE-2025-13974 is a stored cross-site scripting vulnerability classified under CWE-79, found in the Email Customizer for WooCommerce plugin for WordPress. This plugin enables drag-and-drop email template customization for WooCommerce transactional emails. The vulnerability arises from insufficient input sanitization and output escaping of email template content, allowing an authenticated attacker with administrator privileges to inject arbitrary JavaScript code into email templates. The malicious scripts execute when customers open the transactional emails, potentially leading to theft of sensitive information, session hijacking, or other client-side attacks. This vulnerability specifically affects multisite WordPress installations or those where the unfiltered_html capability is disabled, limiting the scope to environments with stricter content filtering. The CVSS v3.1 score is 4.4 (medium severity), reflecting the requirement for high privileges (administrator), network attack vector, no user interaction, and partial confidentiality and integrity impact but no availability impact. No public exploits have been reported yet, but the vulnerability poses a risk to organizations relying on WooCommerce multisite setups for e-commerce operations. The lack of patch links suggests that a fix may not yet be available or publicly disclosed, emphasizing the need for immediate mitigation steps.

For European organizations, this vulnerability could lead to compromise of customer data confidentiality and integrity through malicious script execution in transactional emails. Attackers with admin access could inject scripts that steal customer credentials, perform phishing, or manipulate email content, damaging brand reputation and customer trust. The impact is particularly significant for e-commerce businesses using WooCommerce multisite installations, which are common in larger enterprises or agencies managing multiple stores. Since the attack vector is via email content viewed by customers, the threat extends beyond internal systems to end users, increasing potential regulatory and compliance risks under GDPR. However, the requirement for administrator-level access limits the attack surface to insider threats or compromised admin accounts. The absence of known exploits reduces immediate risk but does not eliminate it, especially as attackers may develop exploits once the vulnerability is public. Organizations could face financial losses, legal consequences, and operational disruptions if exploited.

1. Immediately restrict administrator access to trusted personnel and enforce strong authentication mechanisms such as MFA to reduce risk of credential compromise. 2. Monitor and audit changes to email templates regularly to detect unauthorized modifications. 3. If possible, disable or limit the use of the Email Customizer for WooCommerce plugin in multisite environments until a patch is available. 4. Implement additional input validation and output escaping in custom email templates to prevent script injection. 5. Educate administrators about the risks of injecting untrusted content into email templates. 6. Use Content Security Policy (CSP) headers in emails where supported to limit script execution. 7. Keep WordPress core, WooCommerce, and all plugins updated and monitor vendor advisories for patches addressing this vulnerability. 8. Consider isolating multisite installations or using separate environments for email customization to reduce attack surface. 9. Employ email scanning and filtering solutions to detect malicious payloads before reaching customers.