CVE-2025-23973 is a stored cross-site scripting vulnerability in dugudlabs SpecFit-Virtual Try On Woocommerce plugin versions up to 8.0.3. It results from improper neutralization of input during web page generation, enabling attackers to inject malicious scripts that persist and execute in the context of users' browsers. The CVSS 3.1 score of 7.1 reflects network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality, integrity, and availability. No patch or vendor advisory is currently provided, and no known exploits have been reported.

Successful exploitation of this vulnerability allows attackers to execute arbitrary scripts in the context of affected users, potentially leading to partial disclosure of sensitive information, modification of data, and disruption of service availability. The impact is rated as high severity based on the CVSS score. There are no reports of active exploitation in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider limiting exposure by restricting plugin usage or applying web application firewall rules to detect and block suspicious input patterns related to this vulnerability. Monitor vendor channels for updates and apply patches promptly once released.