CVE-2025-39520 identifies a Stored Cross-Site Scripting (XSS) vulnerability in the WP Wham Checkout Files Upload plugin for WooCommerce, specifically affecting versions up to and including 2.2.0. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows malicious scripts to be stored on the server and executed in the browsers of users who visit the affected pages. This type of XSS is particularly dangerous because the malicious payload persists on the site, potentially impacting all visitors to the compromised page. The plugin in question facilitates file uploads during the WooCommerce checkout process, and the vulnerability likely arises from insufficient sanitization of file metadata or user inputs related to the upload process. Attackers can exploit this flaw without requiring authentication or user interaction beyond visiting a maliciously crafted page, making it easier to weaponize. The consequences of exploitation include session hijacking, theft of sensitive information such as cookies or credentials, defacement, or redirecting users to malicious sites. Currently, there are no publicly known exploits in the wild, and no official patches have been linked yet. The vulnerability was published on April 16, 2025, and assigned by Patchstack. The absence of a CVSS score necessitates an independent severity assessment based on the nature of the vulnerability and its potential impact.

The impact of this Stored XSS vulnerability is significant for organizations running WooCommerce stores with the affected WP Wham Checkout Files Upload plugin. Attackers can inject persistent malicious scripts that execute in the browsers of customers and administrators, leading to credential theft, session hijacking, unauthorized actions on behalf of users, and potential malware distribution. This undermines the confidentiality and integrity of user data and can damage the reputation and trustworthiness of the e-commerce platform. Additionally, attackers could leverage this vulnerability to pivot to further attacks within the network if administrative users are compromised. The availability impact is generally low but could be indirectly affected if the site is defaced or taken offline to remediate the issue. Given WooCommerce's widespread use globally, the scope of affected systems can be substantial, especially for small to medium-sized businesses that may not have rigorous security controls. The lack of required authentication and ease of exploitation increase the risk of widespread attacks once exploit code becomes available.

To mitigate this vulnerability, organizations should immediately monitor for updates from WP Wham and apply any official patches as soon as they are released. In the absence of a patch, administrators should consider temporarily disabling the Checkout Files Upload plugin or restricting its use to trusted users only. Implementing strict input validation and output encoding on all user-supplied data related to file uploads can reduce the risk of injection. Web Application Firewalls (WAFs) should be configured to detect and block typical XSS payloads targeting the affected plugin endpoints. Regular security audits and penetration testing focused on plugin vulnerabilities can help identify similar issues proactively. Additionally, educating site administrators and users about the risks of XSS and encouraging the use of security headers such as Content Security Policy (CSP) can mitigate the impact of successful exploitation. Finally, monitoring logs for unusual activity related to file uploads or checkout pages can provide early warning signs of exploitation attempts.