CVE-2025-5767 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Crowdfunding for WooCommerce plugin developed by wpwham for WordPress. The vulnerability exists due to improper neutralization of input during web page generation, specifically involving the 'width' parameter. All plugin versions up to and including 3.1.14 fail to adequately sanitize and escape this input, allowing authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions on their behalf. The vulnerability is exploitable remotely over the network without user interaction, with low attack complexity, but requires authenticated access with at least Contributor privileges. The CVSS 3.1 base score is 6.4, reflecting medium severity with partial impact on confidentiality and integrity but no impact on availability. No public exploits have been reported yet, but the vulnerability poses a significant risk to websites relying on this plugin for crowdfunding functionalities. The issue highlights the importance of rigorous input validation and output encoding in web applications to prevent XSS attacks.

The exploitation of CVE-2025-5767 can lead to unauthorized script execution in the context of affected websites, compromising user sessions and potentially enabling attackers to steal sensitive information, perform actions on behalf of users, or deface websites. For organizations, this can result in reputational damage, loss of customer trust, and potential regulatory penalties if user data is compromised. E-commerce platforms using WooCommerce crowdfunding features are particularly at risk, as attackers could manipulate campaign pages or user interactions. Since the vulnerability requires authenticated access with Contributor-level permissions, insider threats or compromised accounts increase risk. The scope includes all websites running vulnerable versions of the plugin, which may be numerous given WooCommerce's popularity. While availability is not impacted, the confidentiality and integrity of user data and site content are at risk, making this a significant concern for online businesses and communities relying on crowdfunding functionalities.

Organizations should immediately update the Crowdfunding for WooCommerce plugin to a version that addresses this vulnerability once available. Until a patch is released, administrators should restrict Contributor-level access to trusted users only and monitor for suspicious activity. Implementing Web Application Firewalls (WAF) with rules to detect and block malicious payloads targeting the 'width' parameter can provide temporary protection. Additionally, applying Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Regularly auditing user permissions and employing multi-factor authentication (MFA) can reduce the risk of account compromise. Developers should review and enhance input validation and output encoding practices in the plugin codebase to prevent similar issues. Finally, educating site administrators and users about the risks of XSS and safe content management practices is recommended.