CVE-2025-14891 is a stored Cross-Site Scripting vulnerability identified in the ivole Customer Reviews for WooCommerce plugin for WordPress, affecting all versions up to and including 5.93.1. The vulnerability stems from insufficient input sanitization and output escaping of the 'displayName' parameter used during web page generation. Authenticated attackers with at least customer-level privileges can inject arbitrary JavaScript code into review pages, which executes in the context of other users viewing those pages, potentially leading to session hijacking, data theft, or unauthorized actions. Although the AJAX endpoint related to this vulnerability can be invoked without authentication, exploitation requires knowledge of a valid form ID, which is only obtainable by placing an order. If guest checkout is enabled, unauthenticated attackers can place orders to retrieve form IDs, thus lowering the barrier to exploitation. The vulnerability impacts confidentiality and integrity but does not affect availability. The CVSS 3.1 base score is 6.4, reflecting medium severity, with attack vector as network, low attack complexity, privileges required at the customer level, no user interaction needed, and scope changed due to impact beyond the vulnerable component. No patches or known exploits are currently reported, but the risk remains significant given the widespread use of WooCommerce in e-commerce platforms.

For European organizations, this vulnerability could lead to unauthorized script execution within the context of their e-commerce websites, potentially compromising customer data, session tokens, and enabling fraudulent transactions or account takeovers. Given the popularity of WooCommerce in Europe for online retail, exploitation could damage brand reputation, lead to regulatory non-compliance under GDPR due to data breaches, and cause financial losses. The ability for unauthenticated attackers to exploit the vulnerability if guest checkout is enabled increases risk exposure, especially for businesses that allow guest purchases. The vulnerability primarily threatens confidentiality and integrity, with no direct impact on availability. However, successful exploitation could indirectly affect availability through subsequent attacks or customer trust erosion. Organizations handling sensitive customer information or payment data are particularly at risk.

Organizations should immediately update the ivole Customer Reviews for WooCommerce plugin to a version where this vulnerability is patched once available. Until a patch is released, administrators should consider disabling guest checkout to prevent unauthenticated attackers from obtaining form IDs. Implementing Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the 'displayName' parameter can reduce exploitation risk. Additionally, applying strict Content Security Policy (CSP) headers can mitigate the impact of injected scripts by restricting script execution sources. Regularly auditing and sanitizing user-generated content, especially review inputs, is recommended. Monitoring logs for unusual AJAX requests or form ID usage patterns can help detect exploitation attempts. Finally, educating users and administrators about the risks of stored XSS and maintaining up-to-date backups will aid in recovery if an incident occurs.