CVE-2025-5767 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Crowdfunding for WooCommerce plugin developed by wpwham for WordPress. This vulnerability affects all versions up to and including 3.1.14. The root cause is improper neutralization of input during web page generation, specifically insufficient sanitization and escaping of the 'width' parameter. An authenticated attacker with Contributor-level access or higher can exploit this flaw by injecting arbitrary malicious scripts into pages. These scripts are stored persistently and executed whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or redirection to malicious sites. The vulnerability has a CVSS 3.1 base score of 6.4, indicating a medium severity level. The attack vector is network-based, requires low attack complexity, and privileges at the Contributor level, but no user interaction is needed for exploitation. The scope is changed, meaning the vulnerability can affect resources beyond the initially compromised component, and the impact affects confidentiality and integrity but not availability. No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability is classified under CWE-79, which concerns improper input neutralization leading to XSS attacks.

For European organizations using WordPress with the Crowdfunding for WooCommerce plugin, this vulnerability poses a significant risk to the confidentiality and integrity of user data and site content. Attackers with Contributor-level access could inject malicious scripts that execute in the context of other users' browsers, potentially stealing session cookies, credentials, or performing unauthorized actions on behalf of users with higher privileges. This could lead to data breaches, defacement of crowdfunding campaigns, or manipulation of fundraising information, undermining trust and causing reputational damage. Since crowdfunding platforms often handle sensitive financial transactions and donor information, the exploitation of this vulnerability could also have regulatory implications under GDPR if personal data is compromised. The lack of user interaction required for exploitation increases the risk of widespread impact once an attacker gains the necessary access. Although no known exploits are currently reported, the medium severity and ease of exploitation by authenticated users make timely mitigation critical to prevent potential attacks.

European organizations should immediately audit their WordPress installations to identify if the Crowdfunding for WooCommerce plugin is in use and verify the version. Until an official patch is released, organizations should consider the following specific mitigations: 1) Restrict Contributor-level access strictly to trusted users and review user roles to minimize the number of users with such privileges. 2) Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the 'width' parameter in plugin requests. 3) Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the browser context. 4) Monitor logs for unusual activity related to plugin parameters and user input. 5) Consider temporarily disabling or removing the plugin if it is not critical to operations. 6) Prepare to apply patches promptly once they become available from the vendor. 7) Educate site administrators and developers about secure coding practices, especially input sanitization and output escaping, to prevent similar vulnerabilities in custom plugins or themes.