CVE-2025-64200

Vulnerability

Overview

CVE-2025-64200 is a Stored Cross-Site Scripting (XSS) vulnerability found in the VillaTheme Email Template Customizer for WooCommerce plugin, affecting all versions up to and including 1.2.17. The root cause is improper neutralization of user-supplied input during web page generation, which enables an attacker to store arbitrary JavaScript code within the email template content [1].

Exploitation

Conditions

To exploit this flaw, an attacker must have at least an account with the ability to edit email templates (typically a Shop Manager or Administrator role). The injected malicious script is then stored on the server and executed when any user (including site visitors) views the affected email. However, successful exploitation requires a privileged user to perform an action, such as clicking a malicious link or previewing a crafted template [1].

Impact

An attacker can inject scripts that perform a variety of malicious actions, including redirecting users to phishing pages, displaying unwanted advertisements, or stealing sensitive session cookies. This can lead to compromised site integrity, unauthorized data access, and potential account takeovers [1].

Mitigation

The vulnerability has been patched in version 1.2.18. Users are strongly advised to update immediately. For those unable to update, the advisory notes that the plugin is part of mass-exploit campaigns, and contacting a hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins [1].