CVE-2025-48249

Vulnerability

Overview

The EAN for WooCommerce plugin (versions up to and including 5.4.6) contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. The plugin fails to sanitize or escape certain fields, allowing a malicious actor to inject arbitrary HTML and JavaScript that gets stored on the server and subsequently executed in the browsers of visitors [1].

Exploitation

Details

Successful exploitation requires an authenticated user with at least contributor-level privileges. The attacker injects a malicious payload (e.g., a script tag) into a field that the plugin renders on the front-end or admin pages. No direct user interaction from the victim is needed beyond normal page viewing; the stored XSS payload executes automatically when the page is loaded [1].

Impact

A successful attack can lead to a range of malicious outcomes, including redirection to phishing sites, injection of unwanted advertisements, defacement of the website, or theft of session cookies. This type of vulnerability is frequently targeted in mass-exploit campaigns that aim to compromise thousands of WordPress sites at scale [1].

Mitigation

The vendor has released version 5.4.7 which addresses the issue. Users are strongly advised to update immediately. Those unable to update should consider implementing a web application firewall or restricting user roles. Patchstack subscribers can enable auto-updates for vulnerable plugins [1].