CVE-2025-32535 identifies a Reflected Cross-site Scripting (XSS) vulnerability in the DN Shipping by Weight plugin for WooCommerce, a popular e-commerce shipping extension. The vulnerability stems from improper neutralization of input during web page generation, meaning that user-supplied data is not correctly sanitized or encoded before being included in the HTML output. This allows an attacker to craft a malicious URL containing executable JavaScript code that, when visited by a victim, executes within the victim's browser context. The plugin versions affected are all versions up to and including 1.2. The vulnerability is classified as Reflected XSS, which typically requires the victim to click on a malicious link or visit a specially crafted URL. There is no indication that authentication is required to exploit this vulnerability, increasing its risk profile. Although no known exploits are currently reported in the wild, the vulnerability is publicly disclosed and published in April 2025, making it a potential target for attackers. The lack of a CVSS score means severity must be assessed based on impact and exploitability factors. Reflected XSS can lead to session hijacking, theft of cookies or credentials, defacement, or redirection to phishing or malware sites, compromising user confidentiality and integrity. The plugin is used within WooCommerce, which powers a significant portion of e-commerce websites globally, increasing the scope of affected systems. The vendor has not yet provided a patch or mitigation guidance, so users must be vigilant and apply best practices to reduce risk.

The impact of this vulnerability is significant for organizations using the DN Shipping by Weight plugin on WooCommerce platforms. Successful exploitation can lead to the execution of arbitrary JavaScript in the context of users' browsers, enabling attackers to steal session cookies, credentials, or other sensitive information. This can result in account takeover, fraudulent transactions, or unauthorized access to user data. Additionally, attackers could use the vulnerability to perform phishing attacks by redirecting users to malicious sites or displaying fake login prompts. The reputational damage to affected e-commerce businesses can be substantial, as customers lose trust in the security of the platform. Since WooCommerce is widely used by small to medium-sized businesses worldwide, the potential for widespread impact exists. The vulnerability affects confidentiality and integrity primarily, with availability less likely to be directly impacted. The ease of exploitation without authentication and the broad user base increase the risk of exploitation. Organizations that do not promptly address this vulnerability may face increased risk of data breaches and financial loss.

To mitigate this vulnerability, organizations should immediately monitor for updates or patches released by the vendor digireturn and apply them as soon as they become available. In the absence of an official patch, administrators should consider temporarily disabling or removing the DN Shipping by Weight plugin if feasible. Implementing a Web Application Firewall (WAF) with rules to detect and block reflected XSS attack patterns can provide interim protection. Additionally, website owners should ensure that all user inputs are properly validated and sanitized on the server side, and that output encoding is applied to any data rendered in HTML contexts. Educating users about the risks of clicking on suspicious links can reduce the likelihood of successful exploitation. Regular security audits and penetration testing focused on input validation can help identify similar vulnerabilities. Finally, maintaining up-to-date backups and incident response plans will aid in recovery if an attack occurs.