CVE-2025-60160 is a medium-severity stored Cross-site Scripting (XSS) vulnerability affecting the sharkthemes Smart Related Products plugin, versions up to 2.0.5. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), allowing malicious actors to inject and store arbitrary scripts within the plugin's data handling processes. When a victim accesses a page rendering the injected content, the malicious script executes in their browser context. The CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L) indicates that the attack can be performed remotely over the network with low attack complexity but requires high privileges and user interaction. The scope is changed, meaning the vulnerability affects components beyond the initially vulnerable module. The impact includes limited confidentiality, integrity, and availability losses, as the injected scripts can steal session tokens, manipulate page content, or cause denial of service. No known exploits are currently reported in the wild, and no patches are linked yet. The vulnerability is specifically tied to the Smart Related Products plugin, commonly used in WordPress e-commerce or content sites to display related products dynamically. Stored XSS is particularly dangerous because the malicious payload persists on the server and affects multiple users without requiring repeated attacker input.

For European organizations using the sharkthemes Smart Related Products plugin, this vulnerability poses a risk of client-side attacks that can lead to session hijacking, credential theft, or unauthorized actions performed on behalf of users. E-commerce platforms and content-heavy websites relying on this plugin could see customer trust erode if attackers exploit this flaw to inject malicious scripts. The medium severity and requirement for high privileges limit the attack surface somewhat, but insider threats or compromised administrator accounts could enable exploitation. Additionally, the scope change means that the vulnerability could affect integrated systems or third-party components, potentially amplifying impact. Regulatory frameworks such as GDPR impose strict requirements on protecting user data, and exploitation leading to data breaches could result in significant fines and reputational damage. The availability impact, while limited, could disrupt user experience and sales during exploitation or remediation.

Organizations should immediately audit their use of the Smart Related Products plugin and restrict administrative privileges to trusted personnel only, minimizing the risk of privilege abuse. Implement strict input validation and output encoding on all user-supplied data within the plugin context to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Monitor web application logs for unusual input patterns or script injections. Until an official patch is released, consider disabling or replacing the plugin with alternatives that have robust security reviews. Conduct regular security training for administrators to recognize phishing or social engineering attempts that could lead to privilege escalation. Finally, implement multi-factor authentication (MFA) for all administrative accounts to reduce the risk of compromised credentials enabling exploitation.