CVE-2025-69386

The RVCFDI para Woocommerce plugin for WordPress is vulnerable to a reflected cross-site scripting (XSS) attack prior to version 8.1.9. This improper neutralization of user-supplied input during web page generation allows an attacker to inject arbitrary HTML and JavaScript into a page that is returned to the victim. The vulnerability exists because the plugin fails to properly sanitize or escape input before including it in output, a classic stored/reflected XSS flaw.

Exploitation requires no authentication, but the attacker must trick a privileged administrator (or any user with the ability to trigger the vulnerable endpoint) into clicking a crafted link or visiting a maliciously crafted URL. This is a reflected XSS attack, so the malicious payload is not stored on the server but is reflected immediately in the HTTP response. The attack can be launched from any website or email, making it suitable for mass campaigns [1].

If successfully exploited, an attacker could execute arbitrary scripts in the browser of the victim user. This could lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive data such as cookies and authentication tokens. Given the moderate CVSS score of 7.1 and the active threat landscape for WordPress plugins, this vulnerability is expected to be used in automated attacks [1].

There is no patch available as of the disclosure date. The recommended immediate action is to update the plugin to a safe version when one is released. If an update is not yet available, a mitigation rule from Patchstack can block attacks, or users should ask their hosting provider for assistance [1].