CVE-2025-24644 is a stored cross-site scripting (XSS) vulnerability found in the WebToffee WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels plugin, specifically affecting versions up to and including 4.7.1. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows malicious scripts to be injected and stored persistently within the application. When an authenticated user accesses the affected pages, the malicious script executes in their browser context. This can lead to a range of attacks including session hijacking, theft of sensitive information, unauthorized actions performed on behalf of the user, and potential malware distribution. The plugin is widely used in WooCommerce, a leading e-commerce platform built on WordPress, which powers a significant portion of online stores worldwide. Although no active exploits have been reported in the wild, the vulnerability presents a serious risk due to the stored nature of the XSS, which does not require repeated user interaction beyond viewing the compromised content. The lack of a CVSS score means severity must be assessed based on impact and exploitability factors. The vulnerability affects the confidentiality and integrity of user data and can disrupt normal operations if exploited. The issue was publicly disclosed in January 2025, with no patch links currently available, indicating the need for urgent attention from site administrators and developers.

The impact of CVE-2025-24644 on organizations worldwide can be significant, especially for e-commerce businesses relying on WooCommerce and the affected WebToffee plugin. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of authenticated users, potentially leading to session hijacking, theft of customer data, unauthorized transactions, and defacement or manipulation of invoice and shipping documents. This can erode customer trust, cause financial losses, and damage brand reputation. Additionally, attackers could use the vulnerability as a foothold to escalate privileges or distribute malware to site visitors. Since the vulnerability is stored XSS, it can affect multiple users over time, increasing the attack surface. Organizations with large customer bases or those handling sensitive payment and shipping information are particularly at risk. The absence of known exploits in the wild currently reduces immediate risk but does not diminish the urgency for remediation, as attackers often develop exploits rapidly after disclosure. The vulnerability also poses compliance risks for organizations subject to data protection regulations, as exploitation could lead to unauthorized data exposure.

To mitigate CVE-2025-24644, organizations should prioritize updating the WebToffee WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels plugin to a patched version once it becomes available from the vendor. Until a patch is released, administrators should implement strict input validation and output encoding on all user-supplied data that is rendered in web pages, particularly within the plugin’s invoice and shipping label generation features. Employing a web application firewall (WAF) with rules designed to detect and block XSS payloads can provide interim protection. Regularly audit and sanitize existing stored data to remove any malicious scripts that may have been injected prior to patching. Additionally, enforcing the principle of least privilege for user roles within WooCommerce can limit the potential damage from compromised accounts. Monitoring logs for unusual activity related to invoice or shipping document generation can help detect exploitation attempts early. Educating staff and users about the risks of XSS and safe browsing practices is also beneficial. Finally, consider implementing Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the browser context.