CVE-2025-27275

CVE-2025-27275 is an improper neutralization of input during web page generation vulnerability, enabling reflected cross-site scripting (XSS) as classified under CWE-79, in the WordPress plugin WOO Codice Fiscale by andrew_fisher. The issue affects all versions of the plugin from n/a through 1.6.3 inclusive. Published on 2025-03-03, it carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to network accessibility and scope change.

Attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no privileges but user interaction, such as clicking a malicious link that reflects unsanitized input back into the web page. Exploitation occurs in the victim's browser context, allowing limited impacts on confidentiality, integrity, and availability, such as potential theft of session cookies, defacement of pages for the user, or minor disruptions.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/woo-codice-fiscale/vulnerability/wordpress-woo-codice-fiscale-plugin-1-6-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve details the vulnerability in the WordPress WOO Codice Fiscale plugin version 1.6.3 and provides associated guidance for practitioners.