CVE-2025-62096 is a stored Cross-site Scripting (XSS) vulnerability identified in the WPFactory Maximum Products per User plugin for WooCommerce, a popular WordPress e-commerce extension. The vulnerability stems from improper neutralization of user-supplied input during web page generation, classified under CWE-79. This flaw allows an attacker with at least low-level privileges (PR:L) to inject malicious scripts that are stored and later executed in the context of other users who view the affected pages, requiring user interaction (UI:R). The vulnerability affects all versions up to 4.4.2, with no patch currently available. The CVSS 3.1 base score is 6.5, reflecting a medium severity due to network attack vector (AV:N), low attack complexity (AC:L), and the potential for partial impact on confidentiality, integrity, and availability (C:L/I:L/A:L). The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component. Although no known exploits are reported in the wild, the stored XSS nature poses risks such as session hijacking, defacement, or injection of malicious payloads that can compromise user data or site integrity. The plugin’s role in managing product purchase limits per user makes it a critical component in WooCommerce stores, potentially affecting customer experience and trust if exploited.

For European organizations, especially those operating e-commerce platforms based on WooCommerce, this vulnerability can lead to unauthorized script execution in users’ browsers, resulting in theft of session cookies, redirection to malicious sites, or unauthorized actions performed on behalf of users. This compromises customer data confidentiality and can damage brand reputation. The integrity of product purchase limits and related business logic may be undermined, potentially enabling fraudulent transactions or abuse of purchase restrictions. Availability impacts may arise if attackers use the vulnerability to inject disruptive scripts causing site malfunction or downtime. Given the widespread use of WooCommerce in Europe’s online retail sector, the risk extends to numerous small and medium enterprises reliant on this plugin. The absence of known exploits currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability details are public.

Organizations should immediately audit their WooCommerce installations to identify the presence of the WPFactory Maximum Products per User plugin and its version. Until an official patch is released, implement strict input validation and sanitization on all user inputs related to product purchase limits, ideally through custom code or security plugins that enforce content filtering. Employ Web Application Firewalls (WAFs) with rules targeting XSS payloads to block malicious requests. Limit user privileges to the minimum necessary to reduce the risk of exploitation by low-privilege attackers. Monitor logs and user activity for unusual behavior indicative of XSS exploitation attempts. Educate site administrators and users about the risks of clicking suspicious links or interacting with untrusted content. Once a patch becomes available, prioritize its deployment. Additionally, consider implementing Content Security Policy (CSP) headers to restrict script execution sources, mitigating the impact of potential XSS attacks.