CVE-2025-53455 is a medium-severity stored Cross-site Scripting (XSS) vulnerability identified in the CashBill.pl – Płatności WooCommerce plugin, a payment integration tool used with WooCommerce, a popular e-commerce platform for WordPress. The vulnerability arises due to improper neutralization of input during web page generation (CWE-79), allowing malicious actors to inject and store arbitrary JavaScript code within the plugin's data fields. When a victim user or administrator views the affected page, the malicious script executes in their browser context. This can lead to session hijacking, unauthorized actions on behalf of the user, defacement, or redirection to malicious sites. The CVSS 3.1 base score is 5.9, reflecting a medium impact with network attack vector, low attack complexity, but requiring high privileges and user interaction. The vulnerability affects all versions of CashBill.pl – Płatności WooCommerce up to 3.2.1. No patches or known exploits in the wild have been reported yet. The vulnerability’s scope is changed (S:C), indicating that exploitation can affect resources beyond the vulnerable component. The plugin is primarily used in Poland and other European countries where WooCommerce is popular, especially among e-commerce merchants using CashBill as a payment gateway. Stored XSS is particularly dangerous because the malicious payload persists on the server and can affect multiple users, including administrators, increasing the risk of privilege escalation and data compromise.

For European organizations, especially e-commerce businesses using WooCommerce with CashBill.pl payment integration, this vulnerability poses a significant risk. Exploitation could lead to theft of user credentials, payment information, and session tokens, undermining customer trust and potentially causing financial losses. The integrity of transaction data and administrative controls could be compromised, leading to fraudulent transactions or unauthorized changes to store configurations. Given the plugin’s usage in Poland and neighboring countries, organizations in these regions are at higher risk. Additionally, regulatory frameworks like GDPR impose strict requirements on protecting customer data; a successful attack exploiting this vulnerability could result in regulatory penalties and reputational damage. The requirement for high privileges and user interaction somewhat limits the attack surface but does not eliminate risk, especially in environments where multiple users have administrative access.

Organizations should immediately audit their use of the CashBill.pl – Płatności WooCommerce plugin and restrict administrative access to trusted personnel only. Implement strict input validation and output encoding on all user-supplied data within the plugin’s context to prevent script injection. Employ Content Security Policy (CSP) headers to reduce the impact of potential XSS payloads by restricting script execution sources. Monitor logs for unusual activity indicative of XSS exploitation attempts. Since no official patch is currently available, consider temporarily disabling the plugin or replacing it with alternative payment gateways until a fix is released. Additionally, conduct regular security training for administrators to recognize phishing or social engineering attempts that could facilitate exploitation. Finally, keep all WordPress and WooCommerce components up to date to minimize exposure to other vulnerabilities.