CVE-2025-5238 is a Stored Cross-Site Scripting (XSS) vulnerability affecting the YITH WooCommerce Wishlist plugin for WordPress, specifically all versions up to and including 4.5.0. The vulnerability arises due to improper neutralization of input during web page generation, classified under CWE-79. The flaw is located in the handling of the 'id' parameter, which is insufficiently sanitized and escaped before being rendered in web pages. This allows an authenticated attacker with Contributor-level access or higher to inject arbitrary JavaScript code into pages generated by the plugin. Because the injected scripts are stored persistently, they execute whenever any user accesses the affected page, potentially leading to session hijacking, privilege escalation, or unauthorized actions performed on behalf of users. The vulnerability does not require user interaction beyond visiting the compromised page, and the attacker needs only low privileges (Contributor or above), which are common roles in WordPress environments. The CVSS v3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, required privileges, no user interaction, and a scope change with low confidentiality and integrity impact but no availability impact. No known exploits are reported in the wild as of the publication date (June 14, 2025). The vulnerability affects a widely used e-commerce plugin that integrates with WooCommerce, a dominant e-commerce platform on WordPress, making it a relevant threat to many online stores using this plugin. The lack of a patch link indicates that a fix may not yet be publicly available, increasing the urgency for mitigation by other means.

For European organizations, especially e-commerce businesses relying on WordPress and WooCommerce with the YITH WooCommerce Wishlist plugin, this vulnerability poses a significant risk. Exploitation could lead to theft of user credentials, session tokens, or personal data through malicious script execution. This can result in compromised customer accounts, fraudulent transactions, reputational damage, and potential regulatory penalties under GDPR for data breaches. The ability of attackers with relatively low privileges to inject scripts increases the risk from insider threats or compromised contributor accounts. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the immediate plugin context, potentially impacting other parts of the website or user sessions. Given the widespread use of WooCommerce in Europe’s online retail sector, this vulnerability could disrupt business operations and customer trust. While availability is not directly impacted, the integrity and confidentiality risks are substantial, especially for organizations handling sensitive payment or personal data. The absence of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits rapidly once details are public.

1. Immediate mitigation should include restricting Contributor-level access to trusted users only, minimizing the attack surface. 2. Implement Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting the 'id' parameter in the YITH WooCommerce Wishlist plugin. 3. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected pages. 4. Monitor logs for unusual activity related to wishlist pages or contributor accounts. 5. Regularly update WordPress core, WooCommerce, and all plugins, and apply the official patch from yithemes as soon as it is released. 6. Consider temporarily disabling the YITH WooCommerce Wishlist plugin if patching is not immediately possible and the risk is high. 7. Conduct security awareness training for contributors to recognize phishing or social engineering attempts that could lead to account compromise. 8. Use security plugins that provide input sanitization and output escaping enhancements as an interim protective measure. 9. Review and harden user role permissions to enforce the principle of least privilege. 10. Perform regular security audits and penetration tests focusing on plugin vulnerabilities and XSS attack vectors.