CVE-2025-47588 is a critical vulnerability classified as an improper control of generation of code, commonly known as code injection, found in the acowebs Dynamic Pricing With Discount Rules plugin for WooCommerce. The affected versions include all releases up to and including 4.5.9. This vulnerability allows an unauthenticated attacker to inject and execute arbitrary code remotely on the server hosting the vulnerable WordPress plugin. The root cause lies in insufficient validation or sanitization of user-controllable input that is dynamically incorporated into code generation processes within the plugin. Because the plugin handles dynamic pricing and discount rules, it likely processes complex input that, if not properly controlled, can be manipulated to inject malicious PHP or other code. The CVSS v3.1 base score is 9.8, reflecting a network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and full impact on confidentiality, integrity, and availability (C:H/I:H/A:H). This means an attacker can remotely and easily exploit the vulnerability without authentication or user action, leading to complete system compromise. Although no exploits have been reported in the wild yet, the severity and ease of exploitation make this a critical threat. The vulnerability was reserved in May 2025 and published in November 2025, indicating recent discovery and disclosure. The affected plugin is widely used in WooCommerce-based e-commerce sites to manage pricing and discounts dynamically, making it a high-value target for attackers aiming to disrupt online retail operations or steal sensitive customer and business data.

For European organizations, especially those operating e-commerce platforms using WooCommerce with the acowebs Dynamic Pricing plugin, this vulnerability poses a severe risk. Exploitation can lead to full system compromise, allowing attackers to execute arbitrary code, which can result in data theft, site defacement, ransomware deployment, or use of the compromised server as a pivot point for further attacks. The confidentiality of customer data, including payment and personal information, can be breached, violating GDPR and other data protection regulations, leading to legal and financial penalties. Integrity of pricing and discount rules can be manipulated, causing financial losses or reputational damage. Availability of the e-commerce service can be disrupted, impacting business continuity and customer trust. The ease of exploitation without authentication or user interaction increases the likelihood of automated attacks and widespread exploitation attempts. Given the critical nature of online retail in Europe and the reliance on WooCommerce, the impact can be significant across multiple sectors including retail, logistics, and financial services supporting e-commerce.

1. Immediate upgrade: Apply the vendor's patch or update the acowebs Dynamic Pricing With Discount Rules plugin to a version later than 4.5.9 once available. 2. Temporary disablement: If patching is not immediately possible, disable or deactivate the vulnerable plugin to prevent exploitation. 3. Input validation: Implement additional web application firewall (WAF) rules to detect and block suspicious payloads targeting the plugin's endpoints, focusing on code injection patterns. 4. Access control: Restrict administrative access to the WordPress backend and plugin management interfaces using IP whitelisting, multi-factor authentication, and least privilege principles. 5. Monitoring and detection: Enable detailed logging and monitor for unusual activity such as unexpected code execution, file changes, or anomalous network traffic from the web server. 6. Backup and recovery: Ensure recent, tested backups of the website and database are available to enable rapid restoration in case of compromise. 7. Security audit: Conduct a thorough security review of all installed plugins and themes to identify other potential vulnerabilities or outdated components. 8. User awareness: Educate site administrators about the risks of installing unverified plugins and the importance of timely updates.