CVE-2025-8073 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Dynamic AJAX Product Filters for WooCommerce plugin developed by plugincy for WordPress. This vulnerability is due to improper neutralization of input during web page generation (CWE-79), specifically through the ‘name’ parameter. The plugin fails to adequately sanitize and escape this input, allowing authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code into pages. Because the malicious script is stored, it executes every time any user accesses the compromised page, potentially affecting administrators, editors, and site visitors. The vulnerability requires no user interaction beyond page access and can lead to confidentiality and integrity impacts, such as session hijacking, unauthorized actions, or defacement. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and a scope change. Although no public exploits are known, the vulnerability poses a significant risk to sites using this plugin. The affected versions include all versions up to and including 1.3.7. The vulnerability was published on August 28, 2025, and was reserved on July 23, 2025. No official patches are currently linked, so mitigation involves monitoring for updates and applying best practices in input validation and output encoding.

The impact of CVE-2025-8073 is primarily on the confidentiality and integrity of affected WordPress sites using the Dynamic AJAX Product Filters for WooCommerce plugin. Successful exploitation allows an authenticated contributor or higher to inject persistent malicious scripts, which execute in the context of any user viewing the affected page. This can lead to session hijacking, theft of sensitive information, unauthorized actions performed on behalf of users, and potential site defacement. Since WooCommerce powers a significant portion of e-commerce websites worldwide, exploitation could disrupt online retail operations, damage brand reputation, and result in financial losses. The vulnerability does not directly affect availability but can indirectly cause downtime if remediation or incident response is required. The requirement for authenticated access limits the attack surface but does not eliminate risk, especially on sites with multiple contributors or less restrictive access controls. The scope change in the CVSS vector indicates that the vulnerability affects resources beyond the attacker’s privileges, increasing potential damage.

To mitigate CVE-2025-8073, organizations should first monitor for and apply official patches from the plugin vendor as soon as they become available. Until patches are released, administrators should restrict Contributor-level and higher access to trusted users only, minimizing the risk of malicious script injection. Implementing Web Application Firewall (WAF) rules that detect and block suspicious input patterns in the ‘name’ parameter can provide interim protection. Site owners should audit existing content for injected scripts and remove any malicious code. Employing Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Additionally, developers can manually sanitize and escape user inputs in plugin code if feasible. Regular security reviews and least privilege principles for user roles reduce the risk of exploitation. Finally, educating contributors about secure input practices and monitoring logs for unusual activity can aid early detection.