CVE-2025-62750 identifies a DOM-based Cross-site Scripting (XSS) vulnerability in the WooCommerce Parcelas plugin, a tool used to manage installment payments in WooCommerce-based e-commerce websites. This vulnerability arises from improper neutralization of input during web page generation, classified under CWE-79. Specifically, the plugin fails to adequately sanitize or encode user-supplied data before inserting it into the DOM, allowing attackers to execute arbitrary JavaScript code within the context of the victim’s browser. The vulnerability affects all versions up to 1.3.5. Exploitation requires the attacker to have high privileges (PR:H) on the system and involves user interaction (UI:R), such as tricking a user into clicking a crafted link or interacting with malicious content. The attack vector is network-based (AV:N), meaning it can be exploited remotely. The vulnerability impacts confidentiality, integrity, and availability (C:L/I:L/A:L) of the affected web application, potentially allowing theft of session tokens, manipulation of displayed content, or disruption of service. No public exploits are known at this time, and no official patches have been released yet. The vulnerability’s scope is considered changed (S:C), indicating that exploitation can affect resources beyond the vulnerable component. The plugin is widely used in WooCommerce environments, which are popular in European e-commerce markets.

For European organizations, especially those operating e-commerce platforms using WooCommerce and the WooCommerce Parcelas plugin, this vulnerability poses a risk of client-side code execution leading to session hijacking, data theft, or fraudulent transactions. The compromise of user sessions can damage customer trust and lead to regulatory non-compliance under GDPR due to potential exposure of personal data. The integrity of transaction data may be undermined, affecting financial reporting and customer billing. Availability impacts could arise if attackers disrupt the normal functioning of the payment installment feature, leading to loss of sales and reputational damage. Given the medium severity and the requirement for authenticated access, the threat is more significant for organizations with multiple privileged users or where privilege escalation is possible. The lack of known exploits currently reduces immediate risk but does not eliminate the potential for future attacks.

1. Monitor for and apply official patches or updates from the WooCommerce Parcelas plugin developer as soon as they become available. 2. Restrict plugin administrative access strictly to trusted personnel and enforce strong authentication mechanisms to reduce the risk of privilege abuse. 3. Implement robust input validation and output encoding on all user inputs, especially those processed by the plugin, to prevent injection of malicious scripts. 4. Deploy Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the browser context. 5. Conduct regular security audits and penetration testing focused on web application vulnerabilities including DOM-based XSS. 6. Educate users and administrators about phishing and social engineering tactics that could facilitate exploitation requiring user interaction. 7. Consider disabling or replacing the plugin if immediate patching is not feasible and the risk is unacceptable. 8. Monitor web server and application logs for suspicious activities indicative of attempted XSS exploitation.