CVE-2025-23481

Vulnerability

Overview

The Ni WooCommerce Sales Report Email plugin for WordPress versions 3.1.4 and earlier contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw allows an attacker to inject arbitrary HTML and JavaScript into a response, which is then executed in the context of the victim's browser.

Exploitation

Conditions

Exploitation requires user interaction: a privileged user (such as an administrator) must click a crafted link, visit a specially prepared page, or submit a malicious form [1]. The attacker does not need authentication but relies on social engineering to trick the victim into performing the action. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns targeting thousands of WordPress sites [1].

Impact

Successful exploitation enables the attacker to inject malicious scripts that can perform actions such as redirecting visitors to attacker-controlled sites, displaying unwanted advertisements, or stealing sensitive information [1]. Because the script runs in the context of the victim's session, it can also be used to modify site content or perform actions on behalf of the logged-in user.

Mitigation

The recommended action is to update the plugin to a patched version beyond 3.1.4 as soon as possible [1]. For sites that cannot immediately update, Patchstack provides a mitigation rule that blocks attacks until an official patch can be applied [1]. Administrators should also educate users about the risks of clicking untrusted links.