CVE-2025-3878 is a stored cross-site scripting (XSS) vulnerability identified in the SMS Alert Order Notifications – WooCommerce plugin for WordPress, maintained by cozyvision1. The vulnerability exists in all versions up to and including 3.8.1 and is due to insufficient sanitization and escaping of user-supplied attributes in the plugin's sa_verify shortcode. Specifically, authenticated users with contributor-level permissions or higher can inject arbitrary JavaScript code into pages generated by the plugin. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, cookies, or enabling further attacks such as privilege escalation or defacement. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v3.1 base score is 6.4, reflecting network attack vector, low attack complexity, requiring privileges (PR:L), no user interaction, and a scope change with low confidentiality and integrity impacts but no availability impact. No patches or known exploits are currently available or reported. The vulnerability affects all versions of the plugin, making it critical for affected sites to implement mitigations or updates once available. The plugin is widely used in WooCommerce environments, which are popular in e-commerce websites built on WordPress.

The impact of CVE-2025-3878 is primarily on the confidentiality and integrity of affected WordPress sites using the vulnerable plugin. Exploitation allows an authenticated user with contributor-level access to inject malicious scripts that execute in the context of other users, including administrators. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, and potential site defacement. While availability is not directly affected, the compromise of administrative accounts or data integrity can disrupt business operations and damage reputation. E-commerce sites relying on WooCommerce and this plugin risk exposing customer data and order information. The scope of impact is significant for organizations with multiple contributors or editors, as these roles can be leveraged to exploit the vulnerability. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly disclosed.

To mitigate CVE-2025-3878, organizations should immediately restrict contributor-level and higher user permissions to trusted individuals only, minimizing the risk of malicious script injection. Administrators should monitor and audit content submitted via the sa_verify shortcode for suspicious input. Implementing a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting the plugin can provide interim protection. Site owners should subscribe to vendor updates and apply patches promptly once released. In the absence of an official patch, consider disabling or removing the SMS Alert Order Notifications – WooCommerce plugin if feasible. Additionally, applying Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Regular backups and incident response plans should be in place to recover from potential compromises. Finally, educating contributors about secure content submission practices can reduce injection risks.