CVE-2025-60158 is a medium severity vulnerability classified as CWE-79, indicating an improper neutralization of input during web page generation, commonly known as Cross-site Scripting (XSS). This vulnerability affects the webmaniabr Nota Fiscal Eletrônica WooCommerce plugin, specifically versions up to 3.4.0.6. The flaw allows an attacker to inject malicious scripts that are stored persistently within the application, which are then executed in the context of users who access the affected pages. The CVSS v3.1 score of 5.9 reflects a network exploitable vulnerability with low attack complexity but requiring high privileges and user interaction. The vulnerability impacts confidentiality, integrity, and availability to a limited extent, as the attacker can execute scripts that may steal session tokens, manipulate page content, or perform actions on behalf of the user. The vulnerability is scoped, meaning it affects resources beyond the vulnerable component. Exploitation requires authenticated access and user interaction, limiting the attack surface but still posing a significant risk especially in environments where multiple users interact with the WooCommerce plugin. No known exploits are currently in the wild, and no patches have been linked yet, indicating that mitigation may require vendor updates or manual intervention. The vulnerability arises from insufficient input sanitization or output encoding during web page generation, allowing malicious payloads to be stored and later executed in users' browsers.

For European organizations, particularly e-commerce businesses using WooCommerce with the Nota Fiscal Eletrônica plugin, this vulnerability could lead to unauthorized access to user sessions, theft of sensitive customer data, or manipulation of transaction data. Given that Nota Fiscal Eletrônica is a Brazilian electronic invoicing system, European companies engaged in trade or operations involving Brazilian markets or Brazilian subsidiaries may be affected. The compromise of user accounts or administrative functions could disrupt business operations, damage customer trust, and lead to regulatory non-compliance under GDPR due to data leakage. Additionally, the stored XSS could be leveraged to conduct phishing attacks or spread malware within the user base. The requirement for authenticated access reduces the risk from anonymous attackers but does not eliminate insider threats or attacks via compromised credentials. The vulnerability's impact on availability is limited but could be exploited to deface or manipulate web content, affecting business reputation.

Organizations should immediately audit their use of the Nota Fiscal Eletrônica WooCommerce plugin and restrict access to trusted users only. Implement strict input validation and output encoding on all user-supplied data within the plugin to prevent script injection. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Monitor user activity logs for suspicious behavior indicative of exploitation attempts. Until an official patch is released, consider disabling or removing the plugin if feasible, or isolate it in a controlled environment. Conduct regular security training for users with access to the plugin to recognize phishing or suspicious content. Additionally, implement multi-factor authentication to reduce the risk of credential compromise. Finally, keep all WordPress and WooCommerce components updated to minimize exposure to related vulnerabilities.