CVE-2025-48248 is a Stored Cross-site Scripting (XSS) vulnerability classified under CWE-79, affecting the WordPress plugin 'Sitewide Discount for WooCommerce: Apply Discount to All Products' developed by WPFactory. This vulnerability exists due to improper neutralization of user-supplied input during web page generation, allowing malicious scripts to be stored and executed in the context of the affected website. Specifically, the flaw is present in versions up to 2.2.1 of the plugin. An attacker with at least low-level privileges (PR:L) and requiring user interaction (UI:R) can inject malicious JavaScript code that will be stored and subsequently executed when other users or administrators view the affected pages. The vulnerability has a CVSS v3.1 base score of 6.5, indicating a medium severity level, with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. This means the attack can be performed remotely over the network with low attack complexity, requires some privileges, and user interaction, and impacts confidentiality, integrity, and availability to a limited extent. The scope is changed (S:C), meaning the vulnerability affects resources beyond the security scope of the vulnerable component. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability could allow attackers to steal session cookies, perform actions on behalf of users, or deface the website, potentially leading to further compromise or reputational damage.

For European organizations using WooCommerce with the vulnerable WPFactory plugin, this vulnerability poses a significant risk to the confidentiality and integrity of their e-commerce platforms. Attackers exploiting this Stored XSS could hijack user sessions, including those of administrators, leading to unauthorized access, data leakage, or manipulation of discount rules and pricing, which could result in financial losses. The availability impact, while limited, could manifest as disruption of normal site operations or denial of service through malicious script execution. Given the widespread use of WooCommerce in Europe for online retail, this vulnerability could affect a broad range of businesses, from small shops to large enterprises. Additionally, compliance with GDPR requires protection of user data; exploitation of this vulnerability could lead to personal data breaches, resulting in regulatory penalties and loss of customer trust. The requirement for low privileges and user interaction means that attackers might leverage social engineering or compromised accounts to initiate attacks, increasing the threat surface.

European organizations should immediately audit their WordPress installations to identify the presence of the vulnerable 'Sitewide Discount for WooCommerce: Apply Discount to All Products' plugin, especially versions up to 2.2.1. Until an official patch is released, administrators should consider disabling or removing the plugin to eliminate the attack vector. Implementing strict input validation and output encoding on all user-supplied data within the plugin's context is critical. Web Application Firewalls (WAFs) with rules targeting common XSS payloads can provide temporary protection. Additionally, organizations should enforce the principle of least privilege by restricting user roles and permissions to minimize the risk of exploitation. Monitoring logs for unusual activities related to discount modifications or script injections can help detect attempted attacks early. Educating users and administrators about phishing and social engineering risks can reduce the likelihood of attackers gaining the necessary privileges or user interaction. Once a patch is available, prompt application is essential. Finally, enabling Content Security Policy (CSP) headers can mitigate the impact of XSS by restricting the execution of unauthorized scripts.