CVE-2025-47588 is a critical vulnerability classified as 'Improper Control of Generation of Code' or code injection in the acowebs Dynamic Pricing With Discount Rules plugin for WooCommerce, a popular e-commerce platform plugin. The vulnerability affects all versions up to and including 4.5.9. It allows remote attackers to inject and execute arbitrary code without requiring authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The root cause is insufficient validation or sanitization of inputs that are used in dynamic code generation within the plugin's discount rule processing logic. This flaw can be exploited by crafting malicious requests that cause the plugin to execute attacker-controlled code on the server hosting the WooCommerce site. The impact includes full compromise of the web server, theft or manipulation of sensitive customer and business data, and potential disruption of e-commerce operations. Although no public exploits are currently known, the vulnerability's critical severity and ease of exploitation make it a high-risk threat. The vulnerability was reserved in May 2025 and published in November 2025, with no patch links currently available, indicating that a fix may be forthcoming or pending deployment by the vendor. Organizations using this plugin should consider the vulnerability urgent and take immediate action to mitigate risk.

For European organizations, this vulnerability poses a significant threat to e-commerce platforms relying on WooCommerce with the affected acowebs plugin. Successful exploitation can lead to complete server takeover, exposing sensitive customer data such as payment information, personal details, and order histories, thereby violating GDPR and other data protection regulations. The integrity of pricing and discount rules can be manipulated, causing financial losses or reputational damage. Availability of the e-commerce service can be disrupted through malicious payloads or backdoors installed by attackers. Given the critical nature of the vulnerability and the lack of authentication or user interaction requirements, attackers can automate exploitation at scale, increasing the risk of widespread attacks. This threat is particularly concerning for mid to large-sized retailers and service providers in Europe that depend heavily on WooCommerce for online sales, as well as managed service providers hosting multiple WooCommerce instances.

1. Immediately monitor official acowebs channels and trusted vulnerability databases for the release of a security patch addressing CVE-2025-47588 and apply it promptly. 2. Until a patch is available, disable or deactivate the Dynamic Pricing With Discount Rules plugin to eliminate the attack surface. 3. Conduct a thorough audit of WooCommerce installations to identify all instances of the vulnerable plugin and prioritize remediation. 4. Implement Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the plugin’s endpoints, especially those attempting to inject code or manipulate discount rules. 5. Restrict access to WooCommerce administrative interfaces and plugin endpoints via IP whitelisting or VPN access where feasible. 6. Employ runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions to detect anomalous code execution or unauthorized changes. 7. Review server and application logs for signs of exploitation attempts or successful breaches, including unusual process executions or outbound connections. 8. Educate development and operations teams about the risks of dynamic code generation and enforce secure coding practices to prevent similar vulnerabilities in custom plugins or extensions.