CVE-2025-27275 identifies a reflected Cross-site Scripting (XSS) vulnerability in the WOO Codice Fiscale plugin, a WordPress extension developed by andrew_fisher. The vulnerability stems from improper neutralization of input during web page generation, meaning that user-supplied data is not adequately sanitized or encoded before being included in HTML output. This flaw allows attackers to craft malicious URLs or input fields that, when visited or submitted by a victim, cause arbitrary JavaScript code to execute within the victim's browser context. Such reflected XSS attacks do not require stored payloads and rely on tricking users into clicking malicious links. The affected versions include all releases up to and including 1.6.3. Although no patches or exploit code are currently published, the vulnerability is publicly disclosed and assigned CVE-2025-27275. The plugin appears to be related to handling Italian fiscal codes (Codice Fiscale), suggesting its use in Italian e-commerce or tax-related websites, often integrated with WooCommerce. The lack of a CVSS score necessitates an expert severity assessment. Reflected XSS vulnerabilities are generally easy to exploit and can lead to session hijacking, phishing, and unauthorized actions, impacting confidentiality and integrity. The vulnerability does not require authentication or user interaction beyond clicking a crafted link, increasing its risk profile. No known exploits in the wild have been reported yet, but the public disclosure increases the likelihood of future exploitation attempts.

The primary impact of CVE-2025-27275 is the compromise of user confidentiality and integrity through the execution of arbitrary scripts in the context of affected websites. Attackers can steal session cookies, perform actions on behalf of authenticated users, or redirect victims to malicious sites. This can lead to account takeover, data theft, and erosion of user trust. For organizations, this may result in reputational damage, regulatory penalties (especially in regions with strict data protection laws), and potential financial losses. Since the vulnerability is reflected XSS, it requires social engineering to lure victims into clicking malicious links, but no authentication is needed, broadening the attack surface. Websites using the vulnerable plugin in e-commerce or tax-related contexts are particularly sensitive, as attackers could target financial transactions or personal data. The lack of current known exploits reduces immediate risk but does not eliminate the threat, especially after public disclosure. Organizations worldwide using this plugin or similar WordPress extensions are at risk, with higher impact in countries where the plugin is popular or where Italian fiscal code processing is relevant.

1. Monitor for official patches or updates from the plugin developer and apply them promptly once available. 2. Until patches are released, implement Web Application Firewall (WAF) rules to detect and block common XSS payloads targeting the vulnerable plugin endpoints. 3. Employ strict input validation and output encoding on all user-supplied data, especially parameters reflected in web pages. 4. Use Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 5. Educate users and administrators about the risks of clicking suspicious links and encourage the use of security-aware browsing practices. 6. Regularly audit and scan WordPress sites for vulnerabilities and outdated plugins. 7. Consider disabling or replacing the vulnerable plugin if immediate patching is not feasible, especially on high-risk or high-traffic sites. 8. Implement multi-factor authentication to reduce the impact of session hijacking if exploitation occurs. 9. Review server and application logs for suspicious activity related to reflected XSS attempts.