CVE-2025-67537 is a stored cross-site scripting (XSS) vulnerability identified in the ThirstyAffiliates WordPress plugin, versions up to 3.11.8. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows an attacker to inject malicious scripts that are stored and later executed in the context of users visiting the affected site. This type of vulnerability can be exploited when an attacker with at least low privileges (PR:L) submits crafted input that is not properly sanitized or encoded, leading to script execution when other users view the affected pages. The attack requires user interaction (UI:R), such as a victim clicking a link or viewing a page, and can impact confidentiality, integrity, and availability (scope changed, S:C). The CVSS 3.1 base score of 6.5 reflects these factors: network attack vector (AV:N), low attack complexity (AC:L), privileges required (PR:L), user interaction required (UI:R), and partial impacts on confidentiality, integrity, and availability (C:L/I:L/A:L). Stored XSS vulnerabilities are particularly dangerous because injected scripts persist on the server and can affect multiple users. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk to websites using this plugin, especially those handling sensitive user data or financial transactions. The vulnerability was published on December 9, 2025, and no official patches or fixes are currently linked, indicating the need for vigilance and interim mitigations.

For European organizations, the impact of CVE-2025-67537 can be substantial, especially for those relying on WordPress sites with the ThirstyAffiliates plugin for affiliate marketing and e-commerce. Successful exploitation can lead to session hijacking, theft of user credentials, defacement of websites, or redirection to malicious sites, undermining customer trust and brand reputation. Confidential data leakage could contravene GDPR requirements, leading to regulatory penalties. The integrity of affiliate links and marketing campaigns could be compromised, resulting in financial losses. Availability impacts, while typically limited in XSS, could occur if injected scripts disrupt site functionality or trigger denial-of-service conditions. The requirement for low privileges means that even compromised or low-level user accounts can be leveraged for attacks, increasing the attack surface. Given the widespread use of WordPress in Europe and the importance of affiliate marketing in digital commerce, this vulnerability could affect a broad range of sectors including retail, media, and services.

Organizations should immediately inventory their WordPress installations to identify the presence of ThirstyAffiliates plugin and its version. Until an official patch is released, apply the following mitigations: implement strict input validation and output encoding on all user-supplied data related to the plugin, especially in areas where affiliate links or user inputs are processed; restrict plugin usage to trusted users with minimal necessary privileges to reduce exploitation risk; employ Web Application Firewalls (WAFs) with custom rules to detect and block typical XSS payloads targeting this plugin; monitor logs and user activity for unusual behavior indicative of exploitation attempts; educate users about the risks of clicking suspicious links or interacting with untrusted content; and consider temporarily disabling or replacing the plugin if feasible. Once a patch is available, prioritize prompt application and test thoroughly to ensure the vulnerability is remediated without disrupting business operations.