CVE-2025-47505

Vulnerability

Description Product Time Countdown for WooCommerce (versions up to 1.6.2) suffers from a stored cross-site scripting (XSS) vulnerability. The plugin fails to properly neutralize user input during web page generation, enabling attackers to inject arbitrary scripts into the site [1].

Exploitation

Exploitation requires a user with contributor-level privileges or higher. An attacker with such access can inject malicious payloads into product pages or countdown fields. These payloads are subsequently executed when other users, including administrators, view the affected pages [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive information [1]. The vulnerability has a CVSS score of 6.5 (Medium), indicating moderate severity.

Mitigation

The vulnerability is patched in version 1.6.3. Users are strongly advised to update to this version immediately. For those unable to update, a full security review and input sanitization should be applied [1].