VYPR
← All advisories
Medium severity6.1NVD Advisory· Published Dec 6, 2025· Updated Apr 15, 2026

CVE-2025-13137

CVE-2025-13137

Description

The Live Sales Notification for Woocommerce – Woomotiv plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'woomotiv_limit' parameter in all versions up to, and including, 3.6.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Reflected XSS vulnerability in Woomotiv for WooCommerce via 'woomotiv_limit' parameter allows unauthenticated attackers to inject scripts by tricking users into clicking a link.

Vulnerability

Overview The Live Sales Notification for WooCommerce – Woomotil plugin for WordPress suffers from a reflected cross-site scripting (XSS) vulnerability in all versions up to and including 3.6.3. The issue resides in the 'woomotiv_limit' parameter, which is insufficiently sanitized and escaped before output, allowing arbitrary JavaScript injection.

Exploitation

Details An unauthenticated attacker can craft a malicious URL containing the XSS payload in the 'woomotiv_limit' parameter. If a user clicks the link, the script executes within the user's browser session. No authentication is required, and the attack relies on social engineering to trick users into visiting the crafted link.

Impact

Successful exploitation enables the attacker to execute arbitrary web scripts in the context of the victim's browser. This can lead to session hijacking, credential theft, or defacement of the affected WordPress site.

Mitigation

As of December 4, 2025, the plugin has been closed on the WordPress plugin repository and is no longer available for download. Users are advised to immediately remove the plugin from their WordPress installations and consider alternative solutions [1].

References
  1. Live Sales Notification for Woocommerce – Woomotiv

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.