CVE-2025-50045 is a Cross-site Scripting (XSS) vulnerability classified under CWE-79, affecting the ProWCPlugins Related Products Manager plugin for WooCommerce. This vulnerability arises from improper neutralization of input during web page generation, specifically enabling DOM-based XSS attacks. The affected versions include all releases up to and including version 1.6.2. In a DOM-based XSS scenario, malicious scripts are injected and executed in the victim's browser by manipulating the Document Object Model, often without server-side input sanitization. This can lead to unauthorized script execution within the context of the affected web application. The vulnerability requires low attack complexity (AC:L), network attack vector (AV:N), and privileges limited to authenticated users (PR:L) with user interaction (UI:R). The scope is changed (S:C), indicating that the vulnerability affects components beyond the initially vulnerable module, potentially impacting other parts of the application or user sessions. The CVSS score is 6.5 (medium severity), reflecting limited but significant impacts on confidentiality, integrity, and availability. Specifically, an attacker could steal session tokens, perform actions on behalf of authenticated users, or manipulate displayed content, leading to partial data exposure or integrity loss. No known exploits are currently reported in the wild, and no patches are linked yet, indicating that mitigation may rely on vendor updates or temporary workarounds. The vulnerability is particularly relevant for websites using WooCommerce with this plugin installed, which is a common e-commerce platform on WordPress, widely used across Europe for online retail operations.

For European organizations, especially those operating e-commerce platforms using WooCommerce with the ProWCPlugins Related Products Manager, this vulnerability poses a tangible risk. Exploitation could allow attackers to execute arbitrary scripts in the context of the affected web application, potentially leading to session hijacking, theft of customer data, manipulation of product recommendations, or fraudulent transactions. This undermines customer trust and could result in regulatory non-compliance, particularly under GDPR, due to unauthorized access or leakage of personal data. The medium severity score indicates that while the vulnerability is not critical, it can still cause meaningful disruption and reputational damage. Given the widespread adoption of WooCommerce in small to medium enterprises across Europe, the attack surface is significant. Additionally, the requirement for authenticated user privileges and user interaction suggests that attackers may target employees or customers with access to the system, increasing the risk of social engineering or phishing campaigns to facilitate exploitation. The scope change implies that the vulnerability could affect multiple components, potentially amplifying the impact beyond a single plugin feature.

Apply vendor patches immediately once available to address the input neutralization flaw in the Related Products Manager plugin. Implement strict Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of DOM-based XSS. Conduct thorough input validation and output encoding on all user-controllable inputs, especially those influencing the DOM in the plugin's functionality. Limit plugin usage to trusted users and restrict administrative privileges to reduce the risk of authenticated exploitation. Regularly audit and monitor web application logs for unusual activities indicative of XSS attempts or successful exploitation. Educate staff and users about phishing and social engineering tactics that could be used to gain authenticated access necessary for exploitation. Consider deploying Web Application Firewalls (WAF) with custom rules to detect and block XSS payloads targeting the affected plugin endpoints. Temporarily disable or replace the Related Products Manager plugin if immediate patching is not feasible, to eliminate the attack vector.