CVE-2025-23903

Vulnerability

Description The Local Shipping Labels for WooCommerce plugin (versions up to and including 1.0.0) suffers from a reflected cross-site scripting vulnerability due to improper neutralization of user input during page generation [1]. This means that attacker-controlled parameters can be injected into web pages without proper sanitization, making the site vulnerable to script injection.

Exploitation

Prerequisites Exploitation of this vulnerability requires user interaction, such as a privileged user clicking a malicious link or visiting a crafted page [1]. The attacker does not need prior authentication but must trick a user into taking an action. This type of vulnerability is commonly used in mass-exploit campaigns targeting WordPress sites regardless of size [1].

Impact

Successful exploitation allows an attacker to inject arbitrary HTML and JavaScript into the affected website's pages [1]. This can be used to perform actions such as redirecting visitors to malicious sites, displaying advertisements, stealing session cookies, or defacing the site. The CVSS score of 7.1 (High) reflects its potential for significant harm with low attack complexity.

Mitigation

Users should update the plugin to a patched version as soon as possible [1]. Patchstack has issued a mitigation rule to block attacks until an official patch is available. Given that the vulnerability is expected to become exploited, immediate action is recommended. If updating is not possible, consult your hosting provider or web developer for assistance.