CVE-2025-67557 is a stored Cross-site Scripting (XSS) vulnerability identified in the WP eBay Product Feeds plugin for WordPress, developed by Rhys Wynne. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, allowing malicious scripts to be stored and subsequently executed in the context of users visiting affected pages. This plugin facilitates the integration of eBay product feeds into WordPress sites, commonly used by e-commerce and affiliate marketers to display product listings. Versions up to and including 3.4.9 are affected. The stored nature of the XSS means that once malicious input is injected, it persists and executes whenever the affected page is loaded, potentially compromising all visitors. Attackers can exploit this flaw without authentication or user interaction beyond visiting the compromised page, increasing the attack surface. Consequences include theft of session cookies, redirection to malicious sites, defacement, or delivery of malware payloads. No official patches or exploit code are currently available, but the vulnerability has been publicly disclosed. The lack of a CVSS score necessitates a severity assessment based on impact and exploitability factors.

For European organizations, especially those operating WordPress-based e-commerce or affiliate marketing sites using the WP eBay Product Feeds plugin, this vulnerability poses significant risks. Successful exploitation can lead to unauthorized access to user sessions, enabling attackers to impersonate legitimate users or administrators. This compromises confidentiality and integrity of user data and site content. Additionally, attackers could use the vulnerability to distribute malware or conduct phishing attacks targeting site visitors, damaging organizational reputation and potentially leading to regulatory penalties under GDPR if personal data is compromised. The persistent nature of stored XSS increases the risk of widespread impact across all site visitors. Given the plugin's role in product feed integration, affected sites may experience disruptions in business operations and loss of customer trust.

Organizations should prioritize updating the WP eBay Product Feeds plugin to a patched version once it becomes available from the vendor. Until an official patch is released, administrators should implement strict input validation and output encoding on all user-supplied data processed by the plugin to prevent script injection. Employing Web Application Firewalls (WAFs) with rules targeting XSS payloads can provide interim protection. Regularly scanning websites for XSS vulnerabilities using automated tools and manual testing is recommended. Additionally, enforcing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Monitoring website logs for unusual activity and educating site administrators about the risks of installing unverified plugins can further reduce exposure.