CVE-2025-14626 is a stored cross-site scripting vulnerability classified under CWE-79, affecting the 'QR Code for WooCommerce order emails, PDF invoices, packing slips' WordPress plugin developed by www15to. The vulnerability exists in all versions up to 1.9.42 due to insufficient input sanitization and output escaping of user-supplied attributes within the plugin's shortcode functionality. Authenticated users with contributor-level access or higher can exploit this flaw by injecting arbitrary JavaScript code into order emails, PDF invoices, or packing slips generated by WooCommerce. When other users access these pages or documents, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or data theft. The vulnerability is remotely exploitable over the network without user interaction but requires authenticated access with low privileges, making it moderately accessible to attackers. The CVSS 3.1 base score of 6.4 reflects a medium severity rating, indicating a significant but not critical risk. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability's scope is limited to WordPress sites using the affected plugin, which is popular among WooCommerce users for generating QR codes in transactional documents. The flaw highlights the importance of proper input validation and output encoding in WordPress plugins, especially those handling user-generated content or shortcodes.

The impact of CVE-2025-14626 can be significant for organizations relying on the affected plugin within their WooCommerce-powered WordPress sites. Successful exploitation allows attackers with contributor-level access to inject malicious scripts that execute in the context of other users, including administrators or customers. This can lead to theft of sensitive information such as authentication cookies, personal data, or payment details, undermining confidentiality and integrity. Additionally, attackers could perform actions on behalf of victims, potentially escalating privileges or manipulating order data. While the vulnerability does not directly affect availability, the resulting compromise could lead to reputational damage, regulatory penalties, and loss of customer trust. E-commerce sites are particularly at risk due to the financial and personal data involved. Since exploitation requires authenticated access, insider threats or compromised contributor accounts pose a realistic attack vector. The lack of known exploits in the wild suggests limited current active exploitation, but the medium severity and ease of exploitation warrant proactive remediation to prevent future attacks.

To mitigate CVE-2025-14626, organizations should first verify if they are using the affected versions of the 'QR Code for WooCommerce order emails, PDF invoices, packing slips' plugin. Since no official patch links are provided, users should monitor the vendor's site or WordPress plugin repository for updates addressing this vulnerability. In the interim, restrict contributor-level and higher access to trusted users only, minimizing the risk of malicious shortcode injection. Implement Web Application Firewall (WAF) rules to detect and block suspicious script injections in shortcode attributes. Review and sanitize all user inputs related to shortcodes manually if possible, or disable the shortcode functionality until a patch is available. Conduct regular security audits and monitor logs for unusual activity related to order emails or PDF generation. Educate users about the risks of granting contributor-level access and enforce strong authentication mechanisms. Finally, consider alternative plugins with better security track records if timely patching is not feasible.