CVE-2025-48240 is a stored Cross-site Scripting (XSS) vulnerability classified under CWE-79, affecting the WPFactory Cost of Goods for WooCommerce plugin. This vulnerability arises from improper neutralization of input during web page generation, allowing an attacker to inject malicious scripts that are stored and later executed in the context of a user's browser. Specifically, the flaw exists in versions up to 3.7.0 of the Cost of Goods for WooCommerce plugin, which is used to manage product cost data within WooCommerce, a popular e-commerce platform built on WordPress. The vulnerability requires an attacker with at least low privileges (PR:L) and some user interaction (UI:R) to exploit, but it can lead to significant consequences including partial compromise of confidentiality, integrity, and availability of the affected system. The CVSS 3.1 base score is 6.5 (medium severity), reflecting network attack vector (AV:N), low attack complexity (AC:L), and scope change (S:C). The scope change indicates that the vulnerability can affect resources beyond the initially vulnerable component, potentially impacting the entire WordPress site or user sessions. Although no known exploits are currently reported in the wild, the nature of stored XSS makes it a persistent threat, as malicious scripts can be injected and executed whenever a victim accesses the affected page or interface. The vulnerability can be leveraged to steal session cookies, perform actions on behalf of users, deface websites, or deliver further malware payloads. Given WooCommerce's widespread use in e-commerce, this vulnerability poses a risk to online stores using this plugin, especially if administrative or vendor accounts are compromised or targeted.

For European organizations operating WooCommerce-based e-commerce sites with the WPFactory Cost of Goods plugin, this vulnerability can lead to unauthorized access to user accounts, theft of sensitive customer data, and manipulation of product cost information. The stored XSS can be exploited to hijack administrator or vendor sessions, potentially allowing attackers to alter pricing, inventory, or financial data, which can disrupt business operations and damage reputation. Additionally, compromised customer trust due to data leakage or fraudulent transactions can have regulatory consequences under GDPR, including fines and mandatory breach notifications. The availability impact, while rated medium, could manifest as denial of service through malicious script execution or site defacement, affecting sales and customer experience. The requirement for low privileges and user interaction means attackers might exploit compromised or lower-level accounts to escalate their impact. European e-commerce businesses are particularly sensitive to such threats given the high regulatory standards and customer expectations for data protection and site integrity.

Organizations should immediately update the WPFactory Cost of Goods for WooCommerce plugin to a patched version once available. Until a patch is released, administrators should implement strict input validation and output encoding on all user-supplied data related to the plugin, especially in areas where product cost data is entered or displayed. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS payloads. Regularly audit user roles and permissions to minimize the number of users with privileges that could exploit this vulnerability. Monitor logs for unusual activity or attempts to inject scripts. Additionally, consider deploying Web Application Firewalls (WAFs) with rules targeting XSS patterns specific to WooCommerce and WordPress environments. Educate users and administrators about the risks of clicking suspicious links or interacting with untrusted content within the e-commerce platform. Finally, conduct security testing and code reviews for customizations or integrations that might exacerbate the vulnerability.