CVE-2025-67542

The Multi-Step Checkout for WooCommerce plugin (wp-multi-step-checkout) versions up to and including 2.33 suffer from a DOM-Based Cross-Site Scripting (XSS) vulnerability. The root cause is improper neutralization of user input during web page generation, enabling an attacker to inject arbitrary JavaScript into the checkout process [1].

Exploitation requires user interaction, such as clicking a crafted link or visiting a specially prepared page. An authenticated user with certain privileges (as defined in the plugin's roles) can be tricked into performing an action that triggers the XSS payload. The vulnerability is DOM-based, meaning the attack payload modifies the client-side environment without necessarily being reflected in the server response [1].

Successful exploitation allows a malicious actor to inject scripts that can execute in the context of a visitor's browser. This can lead to redirects, display of advertisements, or other HTML payloads, potentially compromising the integrity of the affected site and its users [1].

The issue has been addressed in version 2.34 of the plugin. Users are strongly advised to update to this version or later. Patchstack users can enable auto-updates for vulnerable plugins. While the vulnerability has a medium CVSS score of 6.5, reports indicate such flaws are used in mass-exploit campaigns against thousands of websites, regardless of their size or popularity [1].