The vulnerability identified as CVE-2025-22638 affects the acowebs Product Table For WooCommerce plugin, specifically versions up to and including 1.2.3. It is a stored cross-site scripting (XSS) flaw caused by improper neutralization of input during the generation of web pages. This means that user-supplied data is not adequately sanitized or encoded before being embedded into the HTML output, allowing malicious scripts to be stored persistently on the server and executed in the browsers of users who view the affected pages. Stored XSS is particularly dangerous because the malicious payload remains on the site and can impact multiple users over time. The vulnerability does not require authentication, meaning any unauthenticated attacker can exploit it by submitting crafted input that gets stored and later rendered. No user interaction beyond visiting the compromised page is necessary to trigger the malicious script. Although no public exploits have been reported yet, the flaw's nature and the widespread use of WooCommerce make it a significant risk. The plugin is commonly used to display product tables in WooCommerce stores, so many e-commerce websites could be affected. The lack of a CVSS score means severity must be assessed based on impact and exploitability factors. Stored XSS can lead to session hijacking, credential theft, defacement, or redirection to malicious sites, impacting confidentiality, integrity, and availability of the affected sites and their users.

The primary impact of this vulnerability is on the confidentiality, integrity, and availability of e-commerce websites using the affected plugin. Attackers can inject malicious scripts that execute in the browsers of site visitors, potentially stealing sensitive information such as login credentials, payment data, or personal information. This can lead to account compromise, fraudulent transactions, and loss of customer trust. The integrity of the website content can be undermined by defacement or unauthorized actions performed via the injected scripts. Availability may also be affected if attackers use the vulnerability to launch further attacks such as denial of service or malware distribution. Given WooCommerce's extensive use globally, a large number of online stores could be exposed, amplifying the potential damage. The vulnerability could also be leveraged as a foothold for more advanced attacks within the victim's network or customer base. Organizations relying on this plugin for their e-commerce operations face reputational damage, financial losses, and regulatory compliance risks if exploited.

To mitigate this vulnerability, organizations should immediately update the Product Table For WooCommerce plugin to a version that addresses the issue once available. Until a patch is released, administrators should implement strict input validation and output encoding on all user-supplied data within the plugin's context to prevent malicious scripts from being stored or rendered. Employing a Web Application Firewall (WAF) with rules targeting XSS payloads can help block exploitation attempts. Regularly audit and sanitize existing product table entries to remove any injected malicious content. Additionally, enforce the principle of least privilege for user roles to limit who can submit or edit product table data. Monitoring web server logs and user activity for suspicious behavior can aid in early detection of exploitation attempts. Educating site administrators and developers about secure coding practices and the risks of stored XSS will help prevent similar vulnerabilities in the future.