CVE-2025-28999 is a high-severity reflected Cross-site Scripting (XSS) vulnerability identified in the ZoomIt WooCommerce Shop Page Builder plugin for WordPress. This vulnerability arises due to improper neutralization of user-supplied input during web page generation, classified under CWE-79. Specifically, the plugin fails to adequately sanitize or encode input parameters that are reflected back in the web page content, allowing an attacker to inject malicious scripts. When a victim user interacts with a crafted URL or input, the malicious script executes in their browser context, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The vulnerability affects versions up to 2.27.7 of the WooCommerce Shop Page Builder. The CVSS 3.1 base score of 7.1 indicates a high severity, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L highlighting that the attack can be launched remotely over the network without privileges, requires user interaction, and impacts confidentiality, integrity, and availability with a scope change (S:C). No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was reserved in March 2025 and published in August 2025, indicating recent discovery and disclosure. Given the plugin’s integration with WooCommerce, a widely used e-commerce platform, this vulnerability poses a significant risk to online stores using this plugin for their shop page customization.

For European organizations, especially e-commerce businesses relying on WooCommerce and the ZoomIt Shop Page Builder plugin, this vulnerability can lead to serious security breaches. Attackers exploiting this reflected XSS flaw can hijack user sessions, steal sensitive customer data such as payment information or personal details, and perform unauthorized transactions or administrative actions. This undermines customer trust, potentially violates GDPR requirements for data protection, and can result in financial losses and reputational damage. The scope change in the CVSS vector suggests that the vulnerability can affect resources beyond the initially vulnerable component, potentially compromising other parts of the web application. Since WooCommerce is popular among small to medium enterprises across Europe, the risk is widespread. Additionally, the requirement for user interaction means phishing or social engineering campaigns could be used to lure users into triggering the exploit, increasing the attack surface. The absence of known exploits currently provides a window for proactive mitigation, but the high severity score indicates that once exploited, the consequences could be severe.

European organizations should immediately audit their WordPress installations to identify if the ZoomIt WooCommerce Shop Page Builder plugin is in use and determine the version deployed. Until an official patch is released, administrators should consider disabling or removing the plugin to eliminate the attack vector. Implementing Web Application Firewall (WAF) rules to detect and block reflected XSS attack patterns targeting the affected plugin parameters can provide interim protection. Additionally, organizations should enforce Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. User education campaigns to raise awareness about phishing and suspicious links can reduce the likelihood of successful user interaction exploitation. Monitoring web server logs for unusual query parameters or repeated suspicious requests can help detect attempted exploitation. Once a patch is available, prompt application of updates is critical. Finally, reviewing and hardening input validation and output encoding practices in custom code and plugins can reduce the risk of similar vulnerabilities.