CVE-2025-23450 identifies a reflected Cross-site Scripting (XSS) vulnerability in the AW WooCommerce Kode Pembayaran plugin, a payment code extension for WooCommerce on WordPress. The vulnerability stems from improper neutralization of user-supplied input during web page generation, allowing attackers to inject malicious JavaScript code into web pages viewed by other users. This reflected XSS occurs when crafted input is included in HTTP responses without adequate sanitization or encoding, enabling execution of arbitrary scripts in victims' browsers. The affected versions include all releases up to and including 1.1.4. Exploitation requires no authentication but does require user interaction, such as clicking a maliciously crafted URL. Although no known exploits have been reported in the wild, the vulnerability poses risks such as session hijacking, theft of sensitive information, defacement, or redirection to phishing or malware sites. The plugin's integration with WooCommerce, a widely used e-commerce platform, increases the potential attack surface, especially for online stores handling sensitive customer data and payment processes. The lack of a CVSS score necessitates severity assessment based on impact and exploitability factors. The vulnerability affects confidentiality and integrity primarily, with moderate impact on availability. The scope is limited to sites using the vulnerable plugin. The vulnerability is classified as high severity due to ease of exploitation and potential damage. No official patches or mitigation links are currently provided, emphasizing the need for proactive defense measures.

The reflected XSS vulnerability in AW WooCommerce Kode Pembayaran can have significant impacts on organizations running WooCommerce-based e-commerce sites. Attackers can exploit this flaw to execute arbitrary scripts in the context of users' browsers, leading to session hijacking, theft of login credentials, unauthorized actions on behalf of users, and exposure of sensitive customer data. This can result in financial losses, reputational damage, regulatory penalties, and erosion of customer trust. Additionally, attackers may use the vulnerability to redirect users to malicious websites hosting malware or phishing pages, further amplifying the risk. The vulnerability's presence in a payment-related plugin heightens the risk profile, as attackers may target payment workflows to intercept or manipulate transactions. Although exploitation requires user interaction, the widespread use of WooCommerce and the plugin increases the likelihood of successful attacks. Organizations lacking timely patching or compensating controls are particularly vulnerable. The absence of known exploits in the wild currently limits immediate risk but does not diminish the potential impact if weaponized.

1. Monitor official sources and vendor announcements for patches or updates addressing CVE-2025-23450 and apply them promptly once available. 2. Implement strict input validation and output encoding on all user-supplied data within the plugin and the broader WooCommerce environment to prevent injection of malicious scripts. 3. Deploy Web Application Firewalls (WAFs) configured to detect and block common XSS attack patterns, including reflected payloads targeting the plugin's endpoints. 4. Educate users and administrators about the risks of clicking on suspicious links, especially those purporting to relate to payment or order processing. 5. Conduct regular security assessments and penetration testing focusing on the WooCommerce environment and installed plugins to identify and remediate similar vulnerabilities. 6. Consider disabling or replacing the AW WooCommerce Kode Pembayaran plugin with alternative, actively maintained solutions if immediate patching is not feasible. 7. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the e-commerce site. 8. Maintain up-to-date backups and incident response plans to quickly recover from potential exploitation events.