CVE-2025-13369 Overview
The Premmerce WooCommerce Customers Manager plugin for WordPress contains a Reflected Cross-Site Scripting (XSS) vulnerability affecting all versions up to and including 1.1.14. The vulnerability exists due to insufficient input sanitization and output escaping in the money_spent_from, money_spent_to, registered_from, and registered_to parameters within the plugin's administrative filter functionality.
This vulnerability allows unauthenticated attackers to inject arbitrary web scripts into pages that execute when an administrator performs an action such as clicking on a malicious link. As a reflected XSS vulnerability, the attack payload is delivered through a crafted URL and reflected back to the victim's browser without proper sanitization.
Critical Impact
Unauthenticated attackers can execute arbitrary JavaScript in the context of an authenticated administrator's session, potentially leading to session hijacking, administrative account compromise, or malicious actions performed on behalf of the administrator.
Affected Products
- Premmerce WooCommerce Customers Manager plugin for WordPress versions up to and including 1.1.14
- WordPress installations running the vulnerable plugin versions
- WooCommerce stores utilizing the Customers Manager functionality
Discovery Timeline
- 2026-01-07 - CVE-2025-13369 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2025-13369
Vulnerability Analysis
This Reflected Cross-Site Scripting vulnerability stems from improper handling of user-supplied input in the plugin's customer filtering functionality. The affected parameters (money_spent_from, money_spent_to, registered_from, registered_to) accept date and monetary value inputs that are used to filter customer records in the WooCommerce administrative interface.
When these parameters are submitted via GET or POST requests, the plugin fails to properly sanitize the input before reflecting it back in the HTML response. This creates an injection point where attackers can craft malicious URLs containing JavaScript payloads that execute in the context of an administrator's authenticated session.
The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), which is a fundamental web application security flaw. The attack requires user interaction (social engineering an administrator to click a malicious link), but no authentication is required for the attacker to craft and distribute the malicious payload.
Root Cause
The root cause of this vulnerability lies in the filter view component located in views/admin/filter.php and the associated Admin class in src/Admin/Admin.php. The plugin directly outputs user-controlled parameter values without applying proper escaping functions such as esc_attr(), esc_html(), or wp_kses() that WordPress provides for output sanitization.
When rendering the filter form, the vulnerable parameters are echoed back to the page to maintain form state, but without proper encoding. This allows script tags or event handlers embedded in the parameter values to be interpreted as executable code by the browser.
Attack Vector
The attack vector is network-based and requires social engineering to execute successfully. An attacker would craft a malicious URL targeting the WordPress admin panel's customer manager page with a JavaScript payload embedded in one of the vulnerable parameters. The attack sequence typically follows this pattern:
- The attacker identifies a WordPress site using the vulnerable Premmerce WooCommerce Customers Manager plugin
- A malicious URL is crafted containing JavaScript code in one of the four vulnerable parameters
- The attacker distributes this link to site administrators via email, social media, or other communication channels
- When an authenticated administrator clicks the link, the malicious script executes in their browser session
- The script can then steal session cookies, perform actions as the administrator, or further compromise the WordPress installation
The vulnerability is particularly dangerous in e-commerce environments where WooCommerce stores manage sensitive customer data and payment information. For detailed technical analysis, refer to the Wordfence Vulnerability Analysis.
Detection Methods for CVE-2025-13369
Indicators of Compromise
- Suspicious access logs showing requests to the WooCommerce Customers Manager admin pages with unusual parameter values containing HTML or script tags
- Encoded JavaScript payloads (URL-encoded, HTML entity encoded) in the money_spent_from, money_spent_to, registered_from, or registered_to parameters
- Unusual administrator session activity following visits to customer manager filter pages
- Referrer logs showing external sources linking to admin URLs with suspicious query strings
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block XSS patterns in URL parameters targeting WordPress admin pages
- Monitor HTTP access logs for requests containing common XSS payloads such as <script>, javascript:, onerror=, and onload= in query parameters
- Deploy Content Security Policy (CSP) headers to prevent inline script execution and report policy violations
- Utilize WordPress security plugins that scan for known vulnerable plugin versions and alert administrators
Monitoring Recommendations
- Enable verbose logging for all WordPress admin panel access and review logs regularly for anomalous patterns
- Configure alerting for multiple failed or suspicious requests to the customer manager interface from the same IP address
- Monitor for unexpected administrative actions that could indicate session compromise following XSS exploitation
- Implement real-time browser-based XSS detection using SentinelOne Singularity XDR for endpoint protection
How to Mitigate CVE-2025-13369
Immediate Actions Required
- Update the Premmerce WooCommerce Customers Manager plugin to a version newer than 1.1.14 that includes security patches
- Review WordPress admin access logs for evidence of exploitation attempts against the vulnerable parameters
- Verify all administrator accounts for unauthorized activity and rotate credentials if suspicious behavior is detected
- Implement a Web Application Firewall with XSS protection rules as a defense-in-depth measure
Patch Information
The vulnerability affects all versions of the Premmerce WooCommerce Customers Manager plugin up to and including version 1.1.14. Site administrators should update to the latest available version through the WordPress plugin repository. The vulnerable code can be examined in the Admin.php source code and the filter.php view template.
Workarounds
- Temporarily disable the Premmerce WooCommerce Customers Manager plugin until a patched version is available
- Restrict access to the WordPress admin panel using IP-based access controls to limit potential attackers
- Implement Content Security Policy headers with script-src 'self' to mitigate the impact of XSS attacks
- Train administrators to verify URLs before clicking and avoid following links from untrusted sources to WooCommerce admin pages
# Add CSP header to WordPress .htaccess as a temporary mitigation
# Place in the root .htaccess file of your WordPress installation
<IfModule mod_headers.c>
Header set Content-Security-Policy "script-src 'self'; object-src 'none';"
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
