CVE-2025-5238 identifies a stored Cross-Site Scripting (XSS) vulnerability in the YITH WooCommerce Wishlist plugin for WordPress, present in all versions up to and including 4.5.0. The root cause is insufficient input sanitization and output escaping of the 'id' parameter used during web page generation. This vulnerability allows authenticated attackers with Contributor-level privileges or higher to inject arbitrary JavaScript code into pages rendered by the plugin. Because the malicious script is stored, it executes every time a user accesses the affected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability does not require user interaction beyond visiting the injected page, but it does require the attacker to have some level of authenticated access, limiting exploitation to insiders or compromised accounts. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and partial confidentiality and integrity impact. No public exploits have been reported yet, but the vulnerability's presence in a popular e-commerce plugin makes it a significant risk. The lack of available patches at the time of disclosure necessitates immediate mitigation steps by administrators.

The impact of CVE-2025-5238 is primarily on the confidentiality and integrity of affected WordPress sites using the YITH WooCommerce Wishlist plugin. Successful exploitation can lead to session hijacking, theft of sensitive user data such as cookies or credentials, unauthorized actions performed on behalf of users, and potential defacement or redirection attacks. For e-commerce sites, this could result in loss of customer trust, financial fraud, and reputational damage. Since the vulnerability requires authenticated access, the risk is heightened in environments where Contributor or higher privileges are granted to multiple users or where accounts are compromised. The stored nature of the XSS means that all users accessing the infected page are at risk, broadening the scope of impact. Although availability is not affected, the breach of confidentiality and integrity can have severe operational and compliance consequences, especially for organizations handling payment or personal data.

To mitigate CVE-2025-5238, organizations should first check for and apply any official patches or updates released by YITH Themes as soon as they become available. In the absence of patches, administrators should restrict Contributor-level and higher privileges to trusted users only and audit existing users for suspicious accounts. Implementing Web Application Firewalls (WAFs) with rules to detect and block XSS payloads targeting the 'id' parameter can provide temporary protection. Additionally, site owners should enable Content Security Policy (CSP) headers to restrict script execution sources, reducing the impact of injected scripts. Regularly scanning the website for injected malicious scripts and cleaning any found is critical. Developers maintaining custom code should review and improve input validation and output encoding practices, especially for parameters rendered in HTML contexts. Monitoring logs for unusual activity related to the wishlist pages can help detect exploitation attempts early.