CVE-2025-27355
Published: 24 February 2025
Description
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Security Summary
CVE-2025-27355 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the WooCommerce – Loi Hamon WordPress plugin developed by Nicolas GRILLET. The flaw enables Stored XSS and affects all versions from n/a through 1.1.0, as documented in the plugin's vulnerability profile.
Attackers without privileges can exploit this over the network with low attack complexity, though it requires user interaction and results in a changed scope. Successful exploitation via CSRF allows injection of Stored XSS payloads, leading to low impacts on confidentiality, integrity, and availability, with an overall CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
The Patchstack advisory provides further details on the vulnerability, including assessment and recommended mitigations, accessible at https://patchstack.com/database/Wordpress/Plugin/loi-hamon/vulnerability/wordpress-woocommerce-loi-hamon-plugin-1-1-0-csrf-to-stored-xss-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CSRF to Stored XSS in public-facing WordPress plugin directly enables exploitation of public-facing web applications (T1190), JavaScript execution via XSS payload (T1059.007), and user interaction via malicious link for CSRF trigger (T1204.001).