CVE-2025-53575

Vulnerability

Overview

The Primer MyData for WooCommerce plugin for WordPress versions 4.2.5 and earlier contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw allows an attacker to inject arbitrary JavaScript into a web page, which is then reflected back to the victim's browser.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious link or URL containing the XSS payload and tricking a privileged user (such as an administrator) into clicking the link) into visiting it. No direct authentication is required for the attacker, but successful exploitation requires user interaction from a logged-in user with higher privileges [1]. The attack surface is the web interface of the plugin, and the vulnerability is classified as reflected XSS.

Impact

If exploited, the attacker can execute arbitrary scripts in the context of the victim's browser session. This could lead to session hijacking, defacement, or theft of sensitive information. The CVSS v3 score is 7.1 (High), reflecting the potential for significant impact with relatively low attack complexity [1].

Mitigation

The vendor has released version 4.2.6 which resolves the vulnerability. Users are strongly advised to update immediately. For those unable to update, consulting a hosting provider or web developer is recommended [1].