CVE-2025-58985 is a stored Cross-site Scripting (XSS) vulnerability classified under CWE-79, affecting the WordPress plugin 'Additional Custom Product Tabs for WooCommerce' developed by WPFactory. This vulnerability arises due to improper neutralization of input during web page generation, allowing malicious actors to inject and store arbitrary JavaScript code within the plugin's custom product tabs feature. When a victim visits a product page containing the malicious payload, the injected script executes in the context of the victim's browser. The vulnerability affects versions up to and including 1.7.3, with no specific earliest affected version identified. The CVSS v3.1 base score is 6.5, indicating a medium severity level. The vector string (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L) reveals that the attack can be performed remotely over the network with low attack complexity, requires the attacker to have some privileges (likely contributor or shop manager roles) and requires user interaction (the victim must visit the infected page). The scope is changed, meaning the vulnerability affects resources beyond the initially vulnerable component. The impact includes limited confidentiality, integrity, and availability loss, as the attacker can execute scripts that may steal session cookies, perform actions on behalf of the user, or deface content. No known exploits are currently in the wild, and no patches have been linked yet. This vulnerability is particularly relevant for WooCommerce stores using this plugin to add custom product tabs, which is a common feature for enhanced product descriptions or additional information. The stored nature of the XSS makes it more dangerous than reflected XSS, as the payload persists and affects multiple users.

For European organizations operating WooCommerce-based e-commerce platforms, this vulnerability poses a significant risk to customer trust and data security. Exploitation could lead to session hijacking, unauthorized actions on user accounts, theft of sensitive customer data, and potential defacement of product pages. This can result in reputational damage, loss of sales, and regulatory consequences under GDPR if personal data is compromised. The medium severity score reflects that while the vulnerability requires some privileges and user interaction, the widespread use of WooCommerce and the plugin in Europe means many organizations could be exposed. Attackers could target store administrators or contributors to inject malicious scripts, which then affect end customers and other site users. The cross-site scripting can also be leveraged as a stepping stone for more complex attacks, including phishing or malware distribution. Given the e-commerce context, financial fraud and disruption of business operations are plausible outcomes.

1. Immediate action should be to update the 'Additional Custom Product Tabs for WooCommerce' plugin to a patched version once available. Monitor WPFactory and official plugin repositories for updates. 2. In the interim, restrict plugin usage to trusted administrators and contributors only, minimizing the number of users who can add or edit product tabs. 3. Implement strict input validation and output encoding on all user-supplied data in product tabs, ideally using WordPress's built-in escaping functions such as esc_html(), esc_attr(), and wp_kses() to sanitize inputs. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on product pages. 5. Conduct regular security audits and penetration testing focusing on plugin components that handle user input. 6. Educate site administrators about the risks of XSS and the importance of cautious input handling. 7. Monitor web server logs and user reports for suspicious activity indicative of exploitation attempts. 8. Consider temporarily disabling the plugin if immediate patching is not feasible and the risk is deemed high.