Overview
A high-severity Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Kadence WooCommerce Email Designer plugin for WordPress. This vulnerability, tracked as CVE-2025-13387, affects all versions up to and including 1.5.17. Unauthenticated attackers can exploit this flaw to inject malicious JavaScript code into your WordPress site, potentially compromising user accounts and sensitive data.
Technical Details
The vulnerability stems from insufficient input sanitization and output escaping of the customer name within the plugin. Specifically, when an order is placed, the customer’s name is used within the email templates managed by the Kadence WooCommerce Email Designer. An attacker can inject malicious JavaScript code as part of their name during the order process. Because the plugin doesn’t properly sanitize this input, the injected script is then stored in the database and executed whenever the email or related admin pages containing the customer name are accessed.
This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) assigns this vulnerability a score of 7.2 (HIGH). This score reflects the potential for significant impact, given that an unauthenticated attacker can inject and execute arbitrary code on the targeted website. Key metrics contributing to this score include:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Possible Impact
Successful exploitation of this Stored XSS vulnerability can have severe consequences, including:
- Account Takeover: Attackers can steal administrator or user session cookies and gain unauthorized access to accounts.
- Data Theft: Sensitive information, such as customer data, order details, and payment information, can be compromised.
- Website Defacement: The attacker could modify website content or redirect users to malicious sites.
- Malware Distribution: The injected script could be used to distribute malware to website visitors.
Mitigation & Patch Steps
The recommended course of action is to immediately update the Kadence WooCommerce Email Designer plugin to the latest version. This patch addresses the input sanitization issues and prevents the exploitation of CVE-2025-13387.
- Update the Plugin: Log in to your WordPress admin dashboard and navigate to the “Plugins” section. Find the “Kadence WooCommerce Email Designer” plugin and click “Update Now” if an update is available.
- Verify Version: Ensure you are running a version greater than 1.5.17.
- Monitor Logs: Keep a close watch on your website’s access logs for any suspicious activity.
- Security Audit: Consider performing a security audit of your WordPress installation to identify and address any other potential vulnerabilities.
