CVE-2025-22767

The GlobalPayments WooCommerce plugin for WordPress suffers from a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw affects all versions up to and including 1.13.2, and is classified as a high-severity issue with a CVSS v3 score of 7.1.

Exploitation requires an attacker to craft a malicious link that, when clicked by a privileged user (such as an administrator), reflects the injected script into the page output. No direct authentication is needed for the attacker, but the victim must be logged into the WordPress admin panel for the attack to succeed. This type of vulnerability is commonly used in mass-exploit campaigns targeting thousands of sites simultaneously [1].

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser within the context of the affected site. This can lead to session hijacking, redirection to malicious websites, injection of advertisements, or other HTML payloads that compromise the integrity of the site and its visitors [1].

The vendor has released version 1.13.3, which resolves the vulnerability. Users are strongly advised to update immediately. For those unable to update, Patchstack provides a mitigation rule that blocks attacks until the patch is applied [1].