CVE-2025-62750 identifies a DOM-based Cross-site Scripting (XSS) vulnerability in the WooCommerce Parcelas plugin by Filipe Seabra, affecting versions up to 1.3.5. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, specifically within the plugin's client-side code. This allows an attacker with high privileges to craft malicious input that, when rendered in a victim's browser, executes arbitrary JavaScript code. The CVSS 3.1 vector indicates network attack vector (AV:N), low attack complexity (AC:L), but requires privileges (PR:H) and user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects components beyond the initially vulnerable component. The impact includes low confidentiality, integrity, and availability losses, as the attacker can potentially steal session tokens, manipulate page content, or disrupt functionality. No public exploits or patches are currently available, increasing the risk window. The vulnerability is categorized under CWE-79, a common and well-understood class of XSS issues. Since WooCommerce Parcelas is a plugin used in WordPress e-commerce sites, the vulnerability could be leveraged to target customers or administrators, potentially leading to account compromise or fraud.

For European organizations, especially those operating e-commerce platforms using WooCommerce Parcelas, this vulnerability poses a risk of client-side code injection leading to session hijacking, data theft, or fraudulent transactions. The medium severity indicates that while the attack requires some privileges and user interaction, successful exploitation can degrade trust and cause financial and reputational damage. Given the widespread use of WooCommerce in Europe, particularly in countries with mature e-commerce markets, the vulnerability could affect a significant number of online stores. The compromise of customer data or administrative accounts could also have regulatory implications under GDPR, increasing legal and compliance risks. Additionally, attackers could use this vulnerability as a foothold for further attacks within the affected network or to distribute malware to customers.

1. Immediately audit and restrict administrative access to WooCommerce Parcelas to trusted users only, minimizing the risk of privilege abuse. 2. Implement strict input validation and sanitization on all user inputs, especially those processed or reflected by the plugin, to prevent malicious script injection. 3. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 4. Monitor web server and application logs for unusual or suspicious input patterns indicative of attempted XSS exploitation. 5. Until an official patch is released, consider disabling or replacing the WooCommerce Parcelas plugin if feasible. 6. Educate users and administrators about the risks of clicking on untrusted links or inputs that could trigger XSS payloads. 7. Keep WordPress core, themes, and other plugins updated to reduce the attack surface and potential chaining of vulnerabilities. 8. Prepare incident response plans to quickly address any detected exploitation attempts.