CVE-2025-58985 is a medium-severity vulnerability classified as CWE-79, indicating an Improper Neutralization of Input During Web Page Generation, commonly known as Cross-site Scripting (XSS). This vulnerability affects the WPFactory Additional Custom Product Tabs for WooCommerce plugin, specifically versions up to 1.7.3. The flaw allows an attacker with at least low-level privileges (PR:L) and requiring user interaction (UI:R) to inject malicious scripts that are stored persistently within the product tabs. When other users or administrators view the affected product pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed with the victim’s privileges. The vulnerability has a CVSS v3.1 base score of 6.5, reflecting a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), and a scope change (S:C) indicating that the vulnerability can affect resources beyond the initially vulnerable component. The impact affects confidentiality, integrity, and availability to a limited extent (C:L/I:L/A:L). No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability is particularly relevant for e-commerce sites using WooCommerce with this plugin, as product tabs are commonly used to display additional product information, making them a valuable target for attackers to inject malicious content that can affect customers and administrators alike.

For European organizations operating e-commerce platforms using WooCommerce with the WPFactory Additional Custom Product Tabs plugin, this vulnerability poses a significant risk. Exploitation could lead to theft of customer credentials, session tokens, or other sensitive data, undermining customer trust and potentially violating GDPR regulations regarding data protection and breach notification. The integrity of product information could be compromised, leading to misinformation or fraudulent content displayed to customers, which can damage brand reputation and result in financial losses. Additionally, attackers could leverage the XSS to perform actions on behalf of administrators, potentially leading to further compromise of the e-commerce platform or backend systems. The scope change in the vulnerability suggests that the impact could extend beyond the plugin itself, affecting other components or user sessions. Given the widespread use of WooCommerce across Europe, especially among small and medium enterprises, the threat could have broad implications if not mitigated promptly.

Organizations should immediately audit their WooCommerce installations to identify if the WPFactory Additional Custom Product Tabs plugin is in use and verify the version. Until an official patch is released, administrators should consider disabling or removing the plugin to eliminate the attack surface. Implementing Web Application Firewall (WAF) rules that detect and block suspicious input patterns related to script injection in product tabs can provide temporary protection. Additionally, applying Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting the execution of unauthorized scripts. Regularly scanning the website for injected scripts and monitoring logs for unusual activities related to product tab content is recommended. Educating administrators and content managers about the risks of injecting untrusted content and enforcing strict input validation and sanitization on any custom content fields can reduce the likelihood of exploitation. Finally, organizations should stay alert for official patches or updates from WPFactory and apply them promptly once available.