CVE-2025-3878 is a stored Cross-Site Scripting (XSS) vulnerability identified in the SMS Alert Order Notifications – WooCommerce plugin for WordPress, developed by cozyvision1. This vulnerability affects all versions up to and including 3.8.1. The root cause is improper neutralization of user-supplied input in the plugin's sa_verify shortcode, where insufficient input sanitization and output escaping allow authenticated users with contributor-level access or higher to inject arbitrary JavaScript code. This malicious script is stored persistently and executed whenever any user accesses the affected page, potentially compromising user sessions, stealing sensitive data, or performing actions on behalf of the victim. The vulnerability requires authentication with contributor or higher privileges, does not require user interaction, and has a CVSS 3.1 base score of 6.4, indicating medium severity. The attack vector is network-based, with low attack complexity and no user interaction needed. The scope is changed, meaning the vulnerability can impact resources beyond the initially compromised component. The impact affects confidentiality and integrity but not availability. No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation leading to XSS.

For European organizations using WooCommerce with the SMS Alert Order Notifications plugin, this vulnerability poses a significant risk to web application security. Since WooCommerce is widely used for e-commerce platforms across Europe, attackers exploiting this vulnerability could inject malicious scripts that compromise customer data, including personal and payment information, leading to data breaches and loss of customer trust. The ability to execute scripts without user interaction increases the risk of automated exploitation. Additionally, attackers could leverage this vulnerability to perform session hijacking, defacement, or phishing attacks targeting both customers and administrators. Given the GDPR regulations in Europe, any data compromise could lead to substantial legal and financial penalties. The requirement for contributor-level access means that attackers must first compromise or have insider access to an account with elevated privileges, which is a moderate barrier but still feasible in many environments. The vulnerability's impact on confidentiality and integrity without affecting availability means that while the site may remain operational, the trustworthiness and security of data processed by the platform are at risk.

European organizations should immediately audit user roles and permissions within their WordPress installations to ensure that contributor-level access is strictly controlled and monitored. Implementing the principle of least privilege will reduce the risk of exploitation. Since no official patch is currently linked, organizations should consider temporarily disabling or removing the SMS Alert Order Notifications plugin until a secure update is released. Additionally, applying Web Application Firewall (WAF) rules that detect and block malicious script injections targeting the sa_verify shortcode can provide interim protection. Regularly scanning the website for injected scripts and anomalous content is recommended to detect potential exploitation early. Organizations should also educate administrators and contributors about the risks of uploading or entering untrusted content. Monitoring logs for unusual activity related to the plugin and user accounts with contributor or higher privileges can help identify exploitation attempts. Finally, keeping WordPress core, themes, and other plugins up to date reduces the overall attack surface.