CVE-2025-64289 identifies a Stored Cross-site Scripting (XSS) vulnerability in the Premmerce Product Search plugin for WooCommerce, specifically versions up to and including 2.2.4. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows attackers to inject malicious JavaScript code that is stored persistently on the affected website. When other users or administrators access the compromised pages, the malicious script executes in their browsers within the context of the vulnerable site. This can lead to a range of attacks including session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, and redirection to malicious websites. The vulnerability does not require authentication, increasing the attack surface, and does not depend on user interaction beyond visiting the affected page. WooCommerce is a widely used e-commerce platform, and Premmerce Product Search is a popular plugin enhancing product search capabilities, making this vulnerability relevant to many online stores. Although no exploits have been reported in the wild yet, the potential for abuse is significant due to the nature of stored XSS and the high value of e-commerce platforms as targets. The lack of a CVSS score means severity must be assessed based on impact and exploitability factors. The vulnerability affects confidentiality, integrity, and potentially availability of the affected sites and their users. The plugin's market penetration in Europe, combined with the strategic importance of e-commerce, underscores the need for prompt remediation.

For European organizations, this vulnerability poses a significant risk to e-commerce websites using WooCommerce with the Premmerce Product Search plugin. Exploitation can lead to theft of customer credentials, payment information, and personal data, undermining customer trust and potentially violating GDPR requirements. Attackers could deface websites or inject malicious content, damaging brand reputation and causing financial losses. The persistent nature of stored XSS means that once exploited, the malicious code can affect multiple users over time, amplifying the impact. Additionally, compromised sites may be blacklisted by search engines or payment processors, disrupting business operations. The vulnerability's ease of exploitation without authentication increases the likelihood of attacks, especially targeting high-traffic online stores in Europe. This could also facilitate further attacks such as phishing or malware distribution. Organizations failing to address this vulnerability risk regulatory penalties and loss of competitive advantage in the digital marketplace.

1. Immediately update the Premmerce Product Search plugin to a version that addresses this vulnerability once available. 2. If no patch is currently available, consider disabling or uninstalling the plugin to eliminate the attack vector. 3. Implement strict input validation and output encoding on all user-supplied data related to product search inputs to prevent script injection. 4. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on the website. 5. Conduct regular security audits and penetration testing focusing on web application vulnerabilities, especially XSS. 6. Monitor web server logs and user activity for signs of suspicious behavior or injection attempts. 7. Educate website administrators and developers on secure coding practices and the risks of XSS. 8. Use web application firewalls (WAF) configured to detect and block XSS payloads targeting WooCommerce plugins. 9. Backup website data regularly to enable quick recovery in case of compromise. 10. Review and tighten user permissions to limit the impact of potential attacks.