CVE-2025-49908 identifies a stored Cross-site Scripting (XSS) vulnerability in the WPClever WPC Countdown Timer plugin for WooCommerce, specifically affecting versions up to 3.1.4. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows malicious scripts to be stored persistently within the plugin's data. When other users or administrators access the affected pages, the malicious scripts execute in their browsers, potentially compromising session tokens, cookies, or enabling unauthorized actions. Stored XSS is particularly dangerous because the payload remains on the server and affects multiple users without requiring repeated attacker interaction. The plugin is widely used in WooCommerce environments to create countdown timers for sales and promotions, making it a common target in e-commerce contexts. Although no public exploits are currently known, the vulnerability's presence in a popular plugin increases the risk of future exploitation. The absence of a CVSS score necessitates an independent severity assessment based on the vulnerability's characteristics. The vulnerability does not require authentication for exploitation if the input fields are publicly accessible, increasing its risk profile. The flaw can impact confidentiality and integrity by enabling session hijacking or defacement, and availability could be indirectly affected if attackers disrupt normal operations. The plugin vendor has not yet released a patch, so users must monitor for updates or apply temporary mitigations.

For European organizations, especially those operating e-commerce platforms using WooCommerce with the WPC Countdown Timer plugin, this vulnerability poses a significant risk. Exploitation could lead to theft of user credentials, unauthorized transactions, or reputational damage due to defacement or phishing attacks. Given the stored nature of the XSS, multiple users including administrators could be affected, amplifying the impact. Confidential customer data and session information could be compromised, violating GDPR requirements and potentially leading to regulatory penalties. The disruption of promotional campaigns through malicious script injection could also result in financial losses. Organizations relying heavily on online sales and customer trust are particularly vulnerable. The lack of a patch increases exposure time, necessitating immediate attention. Attackers could leverage this vulnerability to establish persistent footholds or pivot to other internal systems if administrative accounts are compromised.

Organizations should immediately audit their WooCommerce installations to identify if the WPC Countdown Timer plugin version 3.1.4 or earlier is in use. Until an official patch is released, administrators should consider disabling or removing the plugin to eliminate the attack vector. If removal is not feasible, implement strict input validation and output encoding on all user inputs related to the plugin, using security libraries that enforce context-aware escaping. Employ Web Application Firewalls (WAFs) with rules to detect and block typical XSS payloads targeting this plugin. Monitor logs and user activity for unusual behavior indicative of exploitation attempts. Educate site administrators and users about the risks of clicking suspicious links or executing unknown scripts. Once a vendor patch is available, prioritize immediate updating of the plugin. Additionally, ensure that Content Security Policy (CSP) headers are configured to restrict script execution sources, reducing the impact of potential XSS payloads. Regularly back up website data to enable quick recovery in case of compromise.