CVE-2025-24755 identifies a Stored Cross-site Scripting (XSS) vulnerability in the PDF Invoice Builder for WooCommerce plugin developed by add-ons.org. This vulnerability is caused by improper neutralization of user-supplied input during the generation of web pages, specifically within the plugin's handling of invoice data. The affected versions include all releases up to and including version 4.6.0. Stored XSS means that malicious scripts injected by an attacker are permanently stored on the server (e.g., in a database) and executed in the browsers of users who view the affected pages, such as administrators or customers accessing invoices. This can allow attackers to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking, credential theft, unauthorized actions, or malware distribution. The vulnerability does not require authentication, increasing the risk of exploitation by unauthenticated attackers. Currently, there are no publicly known exploits in the wild, and no official patches have been linked, indicating that the vulnerability is newly disclosed. The plugin is widely used in WooCommerce-based e-commerce sites, which handle sensitive customer and transactional data, making the vulnerability particularly concerning. The absence of a CVSS score necessitates a severity assessment based on impact and exploitability factors.

The impact of this Stored XSS vulnerability is significant for organizations running WooCommerce e-commerce platforms with the vulnerable PDF Invoice Builder plugin. Attackers can inject malicious scripts that execute in the browsers of users who view invoices or related pages, potentially compromising user sessions and stealing sensitive information such as authentication tokens or personal data. This can lead to unauthorized access to administrative functions or customer accounts, data manipulation, and reputational damage. Additionally, attackers could use the vulnerability to deliver malware or redirect users to phishing sites, increasing the risk of broader compromise. The vulnerability affects the confidentiality and integrity of data and could also impact availability if attackers disrupt normal operations. Given the widespread use of WooCommerce globally, many small to medium-sized businesses are exposed, increasing the overall risk landscape. The lack of authentication requirements lowers the barrier to exploitation, making it easier for attackers to target vulnerable sites.

To mitigate this vulnerability, organizations should: 1) Monitor for and apply updates from add-ons.org promptly once a security patch is released for PDF Invoice Builder for WooCommerce. 2) Until a patch is available, consider disabling or removing the vulnerable plugin to eliminate exposure. 3) Implement strict input validation and output encoding on all user-supplied data related to invoice generation to prevent script injection. 4) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 5) Regularly audit and sanitize stored data that the plugin uses to ensure no malicious scripts are present. 6) Educate administrators and users to be cautious when interacting with invoice pages and report suspicious behavior. 7) Use web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting WooCommerce plugins. 8) Conduct security testing and code reviews on customizations involving invoice generation to identify similar vulnerabilities.