CVE-2025-57904 is a stored Cross-site Scripting (XSS) vulnerability identified in the Sales Count Manager plugin for WooCommerce developed by WP-EXPERTS.IN. The vulnerability arises due to improper neutralization of input during web page generation, classified under CWE-79. Specifically, the plugin fails to adequately sanitize or encode user-supplied input before rendering it on web pages, allowing malicious scripts to be stored and executed in the context of the affected website. This stored XSS can be triggered when an authenticated user with high privileges inputs crafted data that is later displayed without proper escaping, leading to script execution in the browsers of users who view the affected pages. The CVSS 3.1 base score is 5.9 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring high privileges (PR:H), user interaction (UI:R), scope changed (S:C), and low impact on confidentiality, integrity, and availability (C:L/I:L/A:L). The vulnerability affects versions up to 2.5 of the Sales Count Manager plugin, with no patch currently available. No known exploits are reported in the wild as of the publication date (September 22, 2025).

For European organizations using WooCommerce with the Sales Count Manager plugin, this vulnerability poses a risk of stored XSS attacks that can compromise the integrity and confidentiality of user sessions and data. Attackers with high privileges (e.g., administrators or shop managers) could inject malicious scripts that execute when other users access affected pages, potentially leading to session hijacking, defacement, or unauthorized actions performed on behalf of users. This can undermine customer trust, lead to data breaches involving personal or payment information, and cause reputational damage. Given the e-commerce context, the impact extends to financial losses and regulatory compliance issues under GDPR if personal data is compromised. The requirement for high privileges and user interaction somewhat limits exploitation but does not eliminate risk, especially in environments with multiple administrators or less stringent access controls.

European organizations should immediately audit their WooCommerce installations to identify the presence and version of the Sales Count Manager plugin. Until a patch is released, mitigation should include restricting plugin usage to trusted administrators only and enforcing strict input validation and output encoding policies at the application level. Implement Content Security Policy (CSP) headers to reduce the impact of XSS by restricting script execution sources. Regularly monitor logs for suspicious input patterns and user activities indicative of attempted exploitation. Additionally, consider disabling or removing the plugin if it is not essential. Organizations should also ensure their WooCommerce and WordPress core installations are up to date and apply security hardening best practices, such as limiting administrative access via IP whitelisting and multi-factor authentication. Once a patch is available, prioritize its deployment to remediate the vulnerability fully.