CVE-2025-60158

Vulnerability

Overview The Nota Fiscal Eletrônica WooCommerce plugin for WordPress (versions up to 3.4.0.9) suffers from a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This means that an attacker who can provide content that is later displayed on the site (such as through order or customer data) can inject arbitrary HTML or JavaScript code.

Exploitation and

Attack Surface Exploitation requires user interaction, such as a privileged user clicking a crafted link or visiting a page that processes the malicious input [1]. The vulnerability can be triggered by users with certain roles, and successful injection leads to the script being stored on the server and executed whenever other users (including administrators or visitors) view the affected pages.

Impact

A successful attack allows the attacker to execute arbitrary scripts in the context of the victim's browser. This could be used to redirect visitors, display advertisements, steal session cookies, or perform other actions that compromise the integrity or confidentiality of the WordPress site and its users [1].

Mitigation

The vendor has released version 3.4.1.0 which fixes the vulnerability. Users are strongly advised to update to this version immediately. Patchstack users can enable auto-updates for vulnerable plugins. Although the vulnerability is considered low severity and unlikely to be exploited in mass campaigns, applying the patch prevents potential attacks [1].