CVE-2025-48254 is a Stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting the WordPress plugin 'Change Add to Cart Button Text for WooCommerce' developed by WPFactory. This plugin allows customization of the 'Add to Cart' button text in WooCommerce stores. The vulnerability arises from improper neutralization of user-supplied input during web page generation, enabling an attacker to inject malicious scripts that are stored persistently and executed in the context of users visiting the affected site. The vulnerability affects all versions up to and including 2.2.2. Exploitation requires the attacker to have at least low privileges (PR:L) and some user interaction (UI:R), such as tricking an administrator or editor into performing an action that stores the malicious payload. The CVSS v3.1 base score is 6.5 (medium severity), with an attack vector of network (AV:N), low attack complexity (AC:L), partial privileges required, and scope changed (S:C), indicating that the vulnerability can impact resources beyond the initially vulnerable component. Successful exploitation can lead to partial confidentiality, integrity, and availability impacts, such as session hijacking, defacement, or unauthorized actions performed on behalf of users. No known exploits are currently reported in the wild, and no official patches have been linked yet. However, the vulnerability's presence in a widely used e-commerce plugin makes it a significant concern for online retailers using WooCommerce with this plugin installed.

For European organizations operating WooCommerce-based e-commerce websites using the 'Change Add to Cart Button Text for WooCommerce' plugin, this vulnerability poses a risk of persistent XSS attacks that can compromise customer trust and data security. Attackers could execute malicious scripts in the browsers of site administrators or customers, potentially stealing session cookies, redirecting users to phishing sites, or manipulating site content. This can lead to reputational damage, regulatory non-compliance (e.g., GDPR violations due to data leakage), and financial losses from disrupted sales or fraud. Given the e-commerce sector's critical role in Europe's digital economy, especially in countries with high online retail penetration, the impact can be substantial. Additionally, the compromise of administrative accounts could lead to further site-wide control loss or malware injection, amplifying the damage. The medium severity score reflects that while exploitation requires some privileges and user interaction, the consequences affect confidentiality, integrity, and availability, making it a noteworthy threat for European WooCommerce operators.

European organizations should immediately audit their WooCommerce installations to identify if the 'Change Add to Cart Button Text for WooCommerce' plugin is in use and determine the version. Until an official patch is released, administrators should consider disabling or uninstalling the plugin to eliminate the attack surface. Implement strict input validation and output encoding on all user-supplied data related to this plugin's functionality, especially where button text customization is allowed. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Limit plugin access strictly to trusted users with minimal necessary privileges to reduce the risk of malicious input injection. Monitor logs for unusual activities or attempts to inject scripts. Educate administrators about phishing and social engineering risks that could facilitate exploitation. Once a patch becomes available, prioritize prompt application of updates. Additionally, consider deploying Web Application Firewalls (WAFs) with rules targeting XSS payloads specific to this plugin's context to provide interim protection.