Plattform
wordpress
Komponente
woocommerce
Behoben in
9.4.3
9.4.3
CVE-2025-5062 describes a Cross-Site Scripting (XSS) vulnerability affecting the WooCommerce plugin for WordPress. This flaw allows unauthenticated attackers to inject malicious web scripts into pages, potentially compromising user sessions and website integrity. The vulnerability impacts versions 0.0.0 through 9.4.2 of the WooCommerce plugin. A fix is available in version 9.3.4.
An attacker exploiting CVE-2025-5062 can inject arbitrary JavaScript code into the 'customize-store' page of a WooCommerce-powered WordPress site. This can be achieved by crafting a malicious link or embedding a script within a seemingly harmless element. If a user clicks on this link or interacts with the compromised element, the injected script will execute within their browser context, with the privileges of the user accessing the site. The attacker could then steal cookies, redirect the user to a phishing site, or deface the website. The blast radius extends to all users who visit the affected 'customize-store' page, making it a significant risk, especially for e-commerce sites with a large user base. Successful exploitation could lead to account takeover, data theft, and reputational damage.
CVE-2025-5062 was published on May 22, 2025. Severity is currently assessed as Medium (CVSS 6.1). As of this writing, there are no publicly known active campaigns exploiting this specific vulnerability. However, given the ease of XSS exploitation and the widespread use of WooCommerce, it is likely that attackers will begin targeting this vulnerability. Monitor security advisories and threat intelligence feeds for updates. No KEV or EPSS score is currently available.
Exploit-Status
EPSS
1.57% (81% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-5062 is to upgrade the WooCommerce plugin to version 9.3.4 or later. If immediate upgrading is not possible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These may include restricting access to the 'customize-store' page to authenticated administrators only, or implementing a Web Application Firewall (WAF) rule to filter out potentially malicious PostMessage requests targeting that specific page. Carefully review and sanitize all user inputs related to the 'customize-store' functionality. Monitor web server logs for suspicious activity, particularly requests containing unusual PostMessage data. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload into the 'customize-store' page and verifying that it does not execute.
Update to one of the following versions, or a newer patched version: 9.3.4, 9.4.3
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
It's a Cross-Site Scripting (XSS) vulnerability in the WooCommerce plugin for WordPress, allowing attackers to inject malicious scripts.
If you're using WooCommerce versions 0.0.0 through 9.4.2, you are potentially affected. Check your plugin version immediately.
Upgrade WooCommerce to version 9.3.4 or later. If upgrading is not immediately possible, implement temporary workarounds like WAF rules.
Currently, there are no known active campaigns targeting this specific vulnerability, but it's likely to be targeted in the future.
Refer to the official WordPress security advisories and the WooCommerce documentation for more information and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.