CVE-2025-47487 is a high-severity reflected Cross-site Scripting (XSS) vulnerability identified in the moreconvert MC Woocommerce Wishlist plugin, affecting versions up to 1.9.1. The vulnerability stems from improper neutralization of user-supplied input during web page generation, classified under CWE-79. This flaw allows an attacker to inject malicious scripts into web pages viewed by other users. Specifically, the vulnerability is reflected XSS, meaning the malicious payload is included in a request and immediately reflected in the response without proper sanitization or encoding. The CVSS 3.1 base score of 7.1 indicates a high impact with the vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, meaning the attack can be launched remotely over the network without privileges, requires low attack complexity, no privileges, but does require user interaction (such as clicking a crafted link). The scope is changed (S:C), indicating that the vulnerability affects resources beyond the vulnerable component, potentially impacting the confidentiality, integrity, and availability of the broader system. The vulnerability can lead to theft of user credentials, session hijacking, defacement, or redirection to malicious sites, compromising user trust and system security. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability affects the MC Woocommerce Wishlist plugin, which is used in WordPress e-commerce sites to allow customers to save products for future purchase consideration. Since Woocommerce is a widely used e-commerce platform, this vulnerability could impact many online stores using this plugin if not mitigated promptly.

For European organizations, especially e-commerce businesses using WordPress with the MC Woocommerce Wishlist plugin, this vulnerability poses a significant risk. Exploitation could lead to customer data compromise, including session tokens and personal information, resulting in financial fraud, reputational damage, and loss of customer trust. The reflected XSS could also be leveraged for phishing attacks targeting European customers, potentially violating GDPR requirements regarding data protection and breach notification. Additionally, the scope change in the vulnerability suggests that exploitation could affect multiple components or users beyond the initial target, increasing the potential damage. Given the high adoption of WordPress and Woocommerce in Europe, particularly among small and medium enterprises, the threat could disrupt online retail operations and lead to regulatory penalties if personal data is compromised. The requirement for user interaction means that social engineering or phishing campaigns could be used to trigger the exploit, increasing the likelihood of successful attacks.

1. Immediate mitigation should include disabling or removing the MC Woocommerce Wishlist plugin until a patch is available. 2. Implement Web Application Firewall (WAF) rules to detect and block reflected XSS payloads targeting the affected plugin's endpoints. 3. Educate users and administrators about the risks of clicking on suspicious links that could trigger reflected XSS attacks. 4. Monitor web server logs for unusual request patterns or attempts to inject scripts via URL parameters related to the wishlist functionality. 5. Apply Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on the website. 6. Once a patch is released by moreconvert, promptly test and deploy it in all affected environments. 7. Conduct a security review of all input handling and output encoding mechanisms in customizations related to the wishlist plugin. 8. For organizations with incident response teams, prepare to respond to potential phishing or session hijacking incidents stemming from this vulnerability.