CVE-2025-22307

The vulnerability is a reflected cross-site scripting (XSS) issue in the Product Table for WooCommerce plugin for WordPress. It stems from improper neutralization of user input during web page generation, allowing an attacker to inject arbitrary HTML and JavaScript. This affects all versions up to and including 4.0.3 [1].

Exploitation requires a privileged user to perform an action, such as clicking a malicious link or visiting a crafted page. The attacker does not need authentication but relies on social engineering to trick a user with appropriate privileges. This makes it suitable for mass exploitation campaigns targeting thousands of sites [1].

Successful exploitation enables the attacker to execute arbitrary scripts in the context of the victim's browser. This can lead to redirects, display of advertisements, theft of session cookies, or other malicious activities that compromise the site's integrity and user trust [1].

The vendor has released version 5.0.0 which resolves the vulnerability. Users are strongly advised to update immediately. Patchstack also provides a mitigation rule to block attacks until the update is applied [1].