CVE-2025-27275

The WOO Codice Fiscale plugin for WordPress, versions 1.6.3 and below, contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This means the plugin fails to sanitize or escape certain input before including it in the HTML output of a page.

An attacker can exploit this vulnerability by crafting a malicious link that includes a payload in a query parameter or form value. If a privileged user (such as an administrator) clicks the link, the injected script will execute in their browser session [1]. The attack does not require authentication for the initial delivery, but successful exploitation depends on the target user performing an action, such as clicking the link or submitting a form, making it a reflected XSS with user interaction required.

A successful attack could allow the attacker to inject arbitrary HTML and JavaScript into the victim's browser, leading to actions such as redirecting visitors to malicious sites, displaying fake advertisements, or stealing session tokens [1]. The vulnerability is rated as moderately dangerous and is expected to be used in mass-exploit campaigns targeting thousands of WordPress sites.

To mitigate this vulnerability, users should update the plugin to a patched version as soon as one becomes available. Patchstack has released a mitigation rule that can block attacks until an official fix is released [1]. As an immediate action, updating the plugin is strongly recommended; if that is not possible, a security plugin or web application firewall (WAF) can help block malicious requests.