CVE-2025-67557 is a stored cross-site scripting (XSS) vulnerability found in the WP eBay Product Feeds plugin for WordPress, developed by Rhys Wynne. This vulnerability stems from improper neutralization of input during web page generation, allowing malicious scripts to be injected and stored within the plugin's data. When other users access the affected pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability affects all versions up to and including 3.4.9. Exploitation requires an attacker to have at least low-level privileges (PR:L) and some user interaction (UI:R), such as convincing an authenticated user to visit a crafted page. The attack complexity is low (AC:L), and the attack vector is network-based (AV:N), meaning the attacker can exploit it remotely over the internet. The vulnerability impacts confidentiality, integrity, and availability partially and has a scope change (S:C), indicating that the attack can affect resources beyond the initially vulnerable component. No known exploits are currently reported in the wild, but the vulnerability is publicly disclosed and should be addressed promptly. The lack of an official patch link suggests that users should monitor vendor communications for updates or apply temporary mitigations such as input sanitization and output encoding. This vulnerability is particularly concerning for WordPress sites that use the plugin to display eBay product feeds, commonly found in e-commerce and retail sectors.

For European organizations, this vulnerability poses a significant risk to websites using the WP eBay Product Feeds plugin, especially those in e-commerce, retail, and digital marketing sectors. Successful exploitation can lead to theft of user credentials, session hijacking, unauthorized transactions, and defacement or manipulation of website content, undermining customer trust and potentially causing financial losses. The partial impact on confidentiality and integrity means sensitive customer data and business information could be exposed or altered. Availability impacts could result in service disruption or degraded user experience. Given the network attack vector and low complexity, attackers can remotely exploit this vulnerability without sophisticated tools, increasing the threat level. Organizations failing to patch or mitigate this vulnerability may face regulatory compliance issues under GDPR due to potential data breaches. Additionally, reputational damage and loss of customer confidence could have long-term business consequences.

1. Monitor for and apply official patches from Rhys Wynne or the plugin maintainers as soon as they are released. 2. Until patches are available, implement strict input validation and output encoding on all user-supplied data processed by the plugin to prevent script injection. 3. Restrict user privileges to the minimum necessary, limiting the ability of low-privilege users to inject malicious content. 4. Employ Web Application Firewalls (WAFs) with rules designed to detect and block XSS payloads targeting the plugin. 5. Conduct regular security audits and code reviews of the plugin and related customizations to identify and remediate insecure coding practices. 6. Educate site administrators and users about phishing and social engineering risks to reduce successful exploitation via user interaction. 7. Monitor logs and user activity for signs of exploitation attempts or unusual behavior. 8. Consider isolating or disabling the plugin if it is not essential to reduce the attack surface.