CVE-2025-24657 identifies a stored cross-site scripting (XSS) vulnerability in the WebToffee Wishlist for WooCommerce plugin, specifically versions up to and including 2.1.2. The vulnerability stems from improper neutralization of user input during the generation of web pages, allowing malicious scripts to be stored within the wishlist data. When other users or administrators view the affected wishlist pages, the injected scripts execute in their browsers, potentially compromising their accounts or the website’s integrity. Stored XSS is particularly dangerous because the malicious payload persists on the server and can affect multiple users without requiring repeated attacker interaction. The flaw does not require authentication to exploit, increasing the attack surface. Although no public exploits have been reported yet, the vulnerability is published and known, making it a likely target for attackers. The affected product is widely used in WooCommerce-based e-commerce sites, which are popular globally. The lack of a CVSS score indicates the need for an expert severity assessment, which considers the vulnerability’s impact on confidentiality, integrity, and availability, as well as ease of exploitation and scope. The vulnerability can lead to session hijacking, credential theft, defacement, or unauthorized actions, severely impacting affected organizations.

The impact of CVE-2025-24657 is significant for organizations running WooCommerce stores with the WebToffee Wishlist plugin. Successful exploitation can lead to theft of user credentials and session tokens, allowing attackers to impersonate legitimate users or administrators. This can result in unauthorized transactions, data leakage, or site defacement. The persistent nature of stored XSS means multiple users can be affected over time, increasing the potential damage. E-commerce platforms rely heavily on customer trust; thus, exploitation could damage brand reputation and lead to financial losses. Additionally, attackers might leverage the vulnerability as a foothold for further attacks within the network. Since no authentication is required, attackers can target any site visitor, broadening the scope of impact. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly disclosed.

To mitigate CVE-2025-24657, organizations should immediately update the WebToffee Wishlist for WooCommerce plugin to a version that addresses this vulnerability once available. Until a patch is released, administrators can implement input validation and output encoding on all user-supplied data related to the wishlist feature to prevent script injection. Employing a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting the wishlist pages can reduce risk. Regularly audit and sanitize existing wishlist data to remove any malicious scripts. Educate users and administrators about the risks of clicking suspicious links or interacting with untrusted wishlist content. Additionally, implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Monitoring logs for unusual activity related to wishlist pages can help detect exploitation attempts early. Finally, ensure that all other plugins and the WooCommerce platform itself are kept up to date to minimize overall attack surface.