CVE-2025-60171 is a high-severity Cross-Site Request Forgery (CSRF) vulnerability affecting the 'Conditional Cart Messages for WooCommerce' plugin developed by YourPlugins.com. This plugin is used within WooCommerce, a popular e-commerce platform on WordPress, to display conditional messages in shopping carts. The vulnerability allows an attacker to perform unauthorized actions on behalf of an authenticated user by exploiting the lack of proper CSRF protections. Specifically, this flaw enables stored Cross-Site Scripting (XSS) attacks, where malicious scripts can be injected and persist within the application. The CVSS 3.1 base score of 7.1 reflects the network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is changed (S:C), indicating that the vulnerability affects resources beyond the initially vulnerable component. The impact includes low confidentiality, integrity, and availability impacts individually, but combined they can lead to significant compromise of user sessions and data integrity. The vulnerability affects all versions up to 1.2.10, with no patch links currently available, and no known exploits in the wild as of the published date (September 26, 2025). The CWE classification is CWE-352, which corresponds to CSRF vulnerabilities that trick authenticated users into submitting unwanted requests. The vulnerability could be exploited by tricking users into clicking crafted links or visiting malicious sites, causing unauthorized changes or injection of malicious content into the WooCommerce environment, potentially leading to session hijacking, data manipulation, or further exploitation via stored XSS payloads.

For European organizations, especially those operating e-commerce websites using WooCommerce with the affected plugin, this vulnerability poses a significant risk. Attackers could exploit the CSRF flaw to inject malicious scripts that persist in the cart messages, potentially compromising customer data, including personal and payment information. This can lead to reputational damage, financial loss, and regulatory non-compliance under GDPR due to unauthorized data exposure or manipulation. The stored XSS aspect increases the risk by allowing attackers to execute arbitrary JavaScript in the context of the victim's browser, facilitating session hijacking, credential theft, or redirection to malicious sites. Given WooCommerce's popularity in Europe and the widespread use of WordPress-based e-commerce, the vulnerability could affect a broad range of small to medium enterprises and larger retailers. The requirement for user interaction means phishing or social engineering campaigns could be used to trigger the exploit, increasing the attack surface. Additionally, the changed scope indicates that the impact could extend beyond the plugin itself, potentially affecting other parts of the website or connected systems.

European organizations should immediately audit their WooCommerce installations to identify the presence of the 'Conditional Cart Messages for WooCommerce' plugin and verify the version in use. Until an official patch is released, organizations should consider disabling the plugin to eliminate the attack vector. Implementing Web Application Firewall (WAF) rules to detect and block CSRF attempts and suspicious payloads targeting the plugin's endpoints can provide temporary protection. Enforcing strict Content Security Policy (CSP) headers can help mitigate the impact of stored XSS by restricting script execution. Organizations should also educate users and administrators about phishing risks related to CSRF attacks. Monitoring web server and application logs for unusual POST requests or parameter tampering associated with the plugin can aid in early detection of exploitation attempts. Once a patch is available, prompt application of updates is critical. Additionally, developers should review and implement anti-CSRF tokens and proper input validation/sanitization in the plugin code to prevent future vulnerabilities.