CVE-2025-47504 is a stored cross-site scripting (XSS) vulnerability identified in WPFactory's Custom Checkout Fields for WooCommerce (up to version 1.8.3) and Customer Email Verification for WooCommerce (up to version 3.0.2). The vulnerability stems from improper neutralization of user-supplied input during web page generation, classified under CWE-79. This flaw allows an attacker with at least limited privileges (authenticated user) to inject malicious JavaScript payloads that are stored and later executed in the browsers of other users viewing affected pages. The attack vector is remote network-based, with low attack complexity, requiring user interaction. The vulnerability impacts confidentiality by potentially exposing session tokens or sensitive data, integrity by enabling unauthorized actions or data manipulation, and availability by facilitating denial-of-service conditions through script execution. The CVSS v3.1 base score is 6.5, reflecting medium severity with the vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L, indicating network attack vector, low complexity, privileges required, user interaction required, scope changed, and low impacts on confidentiality, integrity, and availability. No public exploits or patches are currently available, but the vulnerability is published and recognized by CISA enrichment. The affected products are widely used WooCommerce plugins that extend checkout and email verification functionality, making e-commerce sites using these plugins vulnerable to persistent XSS attacks that can compromise customer data and site integrity.

For European organizations, particularly e-commerce businesses using WooCommerce with the affected WPFactory plugins, this vulnerability poses a significant risk. Exploitation can lead to theft of customer session cookies, enabling account takeover or fraudulent transactions, undermining customer trust and potentially violating GDPR due to unauthorized data exposure. The integrity of transaction data and customer information can be compromised, leading to financial losses and reputational damage. Additionally, attackers could leverage the XSS flaw to inject malicious scripts that perform actions on behalf of users or disrupt service availability, impacting business operations. Given the widespread use of WooCommerce in Europe, especially in countries with mature e-commerce markets, the threat could affect a large number of online retailers. The requirement for authenticated access and user interaction somewhat limits the attack surface but does not eliminate risk, as attackers may exploit compromised or low-privilege accounts. The vulnerability also increases the risk of supply chain attacks if attackers use the XSS to inject malicious code into checkout processes.

Organizations should implement the following specific mitigations: 1) Monitor WPFactory plugin updates closely and apply patches immediately once available to remediate the vulnerability. 2) Until patches are released, restrict plugin usage to trusted users and limit privileges to reduce the risk of malicious input submission. 3) Implement strict input validation and output encoding on all user-supplied data fields in the checkout and email verification processes to prevent script injection. 4) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 5) Conduct regular security audits and penetration testing focused on plugin functionality to detect similar vulnerabilities. 6) Educate staff and users about phishing and social engineering risks that could facilitate exploitation. 7) Monitor logs and user activity for unusual behavior indicative of exploitation attempts. 8) Consider deploying Web Application Firewalls (WAFs) with rules targeting XSS payloads specific to WooCommerce plugin endpoints. These measures, combined with prompt patching, will significantly reduce the risk posed by this vulnerability.