CVE-2025-32207 identifies a stored cross-site scripting (XSS) vulnerability in the Ni WooCommerce Cost Of Goods plugin, a tool used within WooCommerce to manage product cost data. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, allowing malicious JavaScript code to be injected and stored persistently within the plugin's data fields. When an administrator or user accesses the affected page, the malicious script executes in their browser context, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability affects all versions up to 3.2.8, with no patch currently listed, indicating that users must take immediate action to mitigate risk. Exploitation is relatively straightforward as it does not require authentication or complex user interaction beyond viewing the infected page. The stored nature of the XSS increases its severity compared to reflected XSS, as the payload remains active until removed. Although no known exploits have been reported in the wild, the widespread use of WooCommerce and this plugin in e-commerce environments makes this a significant threat vector. The lack of a CVSS score necessitates an independent severity assessment based on impact and exploitability factors.

The impact of this stored XSS vulnerability is significant for organizations using the Ni WooCommerce Cost Of Goods plugin. Attackers can inject persistent malicious scripts that execute in the browsers of administrators or users interacting with the plugin's interface. This can lead to session hijacking, allowing attackers to impersonate legitimate users and gain unauthorized access to sensitive e-commerce management functions. Confidential data such as credentials, payment information, or internal business data could be stolen or manipulated. The integrity of the e-commerce platform may be compromised by unauthorized changes to product cost data or other critical settings. Availability could also be affected if attackers use the vulnerability to inject disruptive scripts or launch further attacks. Given the plugin’s role in financial data management within WooCommerce, the threat extends to financial fraud and reputational damage. The ease of exploitation and persistent nature of the vulnerability increase the risk of widespread impact, especially in organizations with multiple administrators or users accessing the plugin.

To mitigate this vulnerability, organizations should first monitor for updates or patches from the plugin developer and apply them promptly once available. In the absence of an official patch, administrators should implement strict input validation and sanitization on all user-supplied data fields related to the plugin, ideally using a web application firewall (WAF) with custom rules to detect and block XSS payloads targeting the affected plugin endpoints. Restrict access to the plugin’s administrative interfaces to trusted users only and enforce the principle of least privilege. Regularly audit stored data for suspicious scripts or injected code and remove any malicious content found. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the browser context. Additionally, educate administrators and users about the risks of XSS and encourage cautious behavior when interacting with plugin-generated content. Finally, consider isolating or disabling the plugin temporarily if the risk is deemed too high until a secure version is released.