CVE-2025-48237 is a stored Cross-site Scripting (XSS) vulnerability identified in the WPFactory Wishlist for WooCommerce plugin, affecting versions up to 3.2.2. This vulnerability arises due to improper neutralization of input during web page generation, classified under CWE-79. Specifically, the plugin fails to adequately sanitize or encode user-supplied input before rendering it on web pages, allowing malicious actors to inject and store malicious scripts within the wishlist functionality. When other users or administrators view the affected wishlist pages, the injected scripts execute in their browsers, potentially leading to session hijacking, credential theft, defacement, or further exploitation of the victim's browser environment. The CVSS 3.1 base score is 6.5, indicating a medium severity level. The vector string (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L) reveals that the attack can be launched remotely over the network with low attack complexity, requires low privileges but does require user interaction (such as a victim clicking a link or viewing a page), and impacts confidentiality, integrity, and availability to a limited extent. The scope is changed, meaning the vulnerability affects components beyond the initially vulnerable component. No known exploits are reported in the wild yet, and no patches are linked at the time of publication. This vulnerability is significant because WooCommerce is a widely used e-commerce platform on WordPress, and the Wishlist plugin is a popular extension enhancing user shopping experience. Stored XSS in such a context can be leveraged to compromise customer accounts, manipulate shopping data, or conduct phishing attacks within the e-commerce site environment.

For European organizations operating e-commerce websites using WooCommerce with the WPFactory Wishlist plugin, this vulnerability poses a tangible risk to customer trust and data security. Exploitation could lead to unauthorized access to user accounts, theft of personal and payment information, and manipulation of shopping data, potentially resulting in financial losses and reputational damage. Given the GDPR regulatory environment in Europe, any data breach involving personal data could lead to significant legal and financial penalties. Additionally, attackers could use the stored XSS to distribute malware or conduct phishing campaigns targeting European customers, amplifying the threat. The medium severity score reflects that while the vulnerability requires some user interaction and low privileges, the potential for chained attacks and data compromise is non-trivial. Organizations relying on this plugin must consider the risk of customer data exposure and the operational impact of potential service disruptions or defacements caused by script injections.

European organizations should immediately audit their WooCommerce installations to identify the presence and version of the WPFactory Wishlist plugin. Until an official patch is released, mitigation can include disabling the Wishlist plugin to eliminate the attack surface. Implementing Web Application Firewall (WAF) rules that detect and block typical XSS payloads targeting wishlist-related endpoints can reduce risk. Additionally, enforcing Content Security Policy (CSP) headers can limit the execution of unauthorized scripts in browsers. Organizations should also review and harden input validation and output encoding practices on their e-commerce sites, especially for user-generated content. Monitoring logs for unusual activity related to wishlist submissions or page views can help detect exploitation attempts. Finally, educating users and administrators about the risks of clicking untrusted links or interacting with suspicious content can reduce the likelihood of successful exploitation.