CVE-2025-68041 is a Stored Cross-site Scripting (XSS) vulnerability identified in the codisto Omnichannel for WooCommerce plugin, specifically in versions up to and including 1.3.65. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows attackers to inject malicious JavaScript code that is stored persistently on the affected site. When other users or administrators access the compromised pages, the malicious script executes in their browsers with the same privileges as the legitimate site, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of the victim. The vulnerability is remotely exploitable over the network without requiring authentication, though it does require user interaction, such as visiting a maliciously crafted page or interface within the WooCommerce environment. The CVSS v3.1 base score of 7.1 reflects a high severity level, considering the attack vector is network-based, with low attack complexity, no privileges required, but requiring user interaction, and the impact affects confidentiality, integrity, and availability to a limited extent. No public exploits have been reported yet, but the presence of this vulnerability in a widely used e-commerce plugin poses a significant risk to online stores leveraging WooCommerce with the codisto Omnichannel integration. The vulnerability was officially published on January 22, 2026, with Patchstack as the assigner, but no patch links are currently provided, indicating that users should monitor for updates or apply interim mitigations.

For European organizations, especially those operating e-commerce platforms using WooCommerce integrated with codisto Omnichannel, this vulnerability can lead to serious security incidents. Attackers exploiting this Stored XSS flaw can hijack user sessions, steal credentials, manipulate transactions, or inject malware, undermining customer trust and potentially causing financial losses. The compromise of administrative accounts could lead to further system-wide impacts, including data breaches or defacement. Given the high adoption of WooCommerce in Europe, particularly in countries with strong e-commerce sectors like Germany, the UK, France, and the Netherlands, the threat is significant. Additionally, regulatory frameworks such as GDPR impose strict requirements on protecting customer data, and exploitation of this vulnerability could result in compliance violations and associated penalties. The vulnerability's ability to affect confidentiality, integrity, and availability, combined with ease of exploitation and broad potential exposure, makes it a critical concern for European online retailers and their customers.

Organizations should immediately inventory their WooCommerce installations to identify the use of codisto Omnichannel plugin and its version. Since no official patches are currently linked, interim mitigations include implementing strict Content Security Policies (CSP) to restrict the execution of unauthorized scripts, sanitizing and validating all user inputs rigorously at both client and server sides, and employing Web Application Firewalls (WAF) with rules targeting XSS attack patterns. Administrators should limit user privileges to the minimum necessary and monitor logs for suspicious activities indicative of XSS exploitation attempts. User education is critical to reduce the risk of falling victim to social engineering that triggers the vulnerability. Once patches become available, prompt application is essential. Additionally, consider isolating or disabling the vulnerable plugin temporarily if feasible, and conduct security assessments to detect any signs of compromise. Regular backups and incident response plans should be updated to handle potential exploitation scenarios.