Urgent Alert: Reflected XSS Vulnerability Found in Woomotiv WordPress Plugin (CVE-2025-13137)

by

Overview

A reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Live Sales Notification for Woocommerce – Woomotiv plugin for WordPress. This vulnerability, tracked as CVE-2025-13137, affects all versions up to and including 3.6.3. The flaw stems from insufficient input sanitization and output escaping of the ‘woomotiv_limit’ parameter. This allows unauthenticated attackers to inject malicious JavaScript code into affected pages.

Technical Details

The vulnerability lies within how the Woomotiv plugin handles the woomotiv_limit parameter. Due to a lack of proper sanitization, an attacker can inject arbitrary JavaScript code into the URL. When a user clicks on a crafted link containing this malicious code, the script executes within the user’s browser. This is a classic example of a reflected XSS vulnerability, as the malicious payload is reflected back to the user from the server.

CVSS Analysis

  • CVE ID: CVE-2025-13137
  • Severity: MEDIUM
  • CVSS Score: 6.1

Possible Impact

A successful XSS attack through CVE-2025-13137 could have several serious consequences, including:

  • Account Takeover: Attackers could steal user cookies and session tokens, gaining unauthorized access to user accounts, including administrator accounts.
  • Data Theft: Sensitive information, such as personal data or financial details, could be stolen from the affected website.
  • Malware Distribution: Attackers could redirect users to malicious websites or inject malware directly into the compromised page.
  • Website Defacement: The attacker can modify the appearance or content of the website, potentially damaging its reputation.

Mitigation and Patch Steps

To protect your WordPress website from CVE-2025-13137, it is crucial to take the following steps:

  1. Update the Woomotiv Plugin: Immediately update the Live Sales Notification for Woocommerce – Woomotiv plugin to the latest version. The updated version (later than 3.6.3) contains a fix for this vulnerability.
  2. Review User Input Sanitization: If you are a developer of WordPress plugins, ensure you are properly sanitizing all user inputs and escaping all outputs to prevent XSS vulnerabilities. Use WordPress’s built-in functions for sanitization and escaping.
  3. Web Application Firewall (WAF): Consider implementing a Web Application Firewall (WAF) to detect and block malicious requests attempting to exploit this vulnerability.
  4. User Education: Educate users about the dangers of clicking on suspicious links or entering information on untrusted websites.

References

Leave a Comment