CVE-2025-60171 Overview
CVE-2025-60171 is a Cross-Site Request Forgery (CSRF) vulnerability in the Conditional Cart Messages for WooCommerce plugin by YourPlugins.com (yourplugins-wc-conditional-cart-notices). The flaw affects all plugin versions up to and including 1.2.10. An attacker can chain the CSRF weakness with stored Cross-Site Scripting (XSS) to inject persistent JavaScript into the WordPress administration interface. Exploitation requires tricking an authenticated administrator into visiting a crafted page or link.
Critical Impact
A successful attack stores malicious JavaScript in the WooCommerce site, enabling session theft, administrative account takeover, and arbitrary actions performed in the victim's browser context.
Affected Products
- Conditional Cart Messages for WooCommerce – YourPlugins.com (yourplugins-wc-conditional-cart-notices)
- All versions from initial release through 1.2.10
- WordPress sites running WooCommerce with this plugin installed
Discovery Timeline
- 2025-09-26 - CVE-2025-60171 published to NVD
- 2026-04-28 - Last updated in NVD database
Technical Details for CVE-2025-60171
Vulnerability Analysis
The plugin exposes state-changing administrative endpoints that do not validate the origin of incoming requests. The issue is classified under CWE-352: Cross-Site Request Forgery. Because the affected handlers also fail to sanitize input before storing it, an attacker can leverage the CSRF primitive to plant persistent XSS payloads in plugin-managed settings such as cart notice messages.
When an authenticated WordPress administrator visits an attacker-controlled page, the browser automatically submits a forged request to the vulnerable endpoint using the administrator's session cookies. The plugin processes the request as legitimate and persists the attacker-supplied content. Any subsequent visit to a page rendering that content executes the stored script in the visitor's browser.
Root Cause
The vulnerability stems from missing CSRF protection on plugin settings handlers. WordPress provides nonce primitives such as wp_nonce_field() and check_admin_referer(), but the affected endpoints in versions up to 1.2.10 do not enforce these checks. The absence of output encoding on the stored values compounds the issue and enables the stored XSS chain.
Attack Vector
The attack is network-based and requires user interaction. An attacker hosts a page containing a hidden form or fetch() call that targets the vulnerable plugin endpoint on the victim site. The attacker then social-engineers a logged-in administrator into loading that page. The forged request writes attacker-controlled JavaScript into the plugin's stored notice configuration. The payload then executes whenever the cart notice renders, achieving cross-context script execution with the privileges of any user who views the affected page.
No verified public proof-of-concept code is available. Refer to the Patchstack Vulnerability Report for additional advisory details.
Detection Methods for CVE-2025-60171
Indicators of Compromise
- Unexpected <script> tags, event handlers, or obfuscated JavaScript inside WooCommerce cart notice configuration entries stored by yourplugins-wc-conditional-cart-notices.
- Administrative POST requests to plugin endpoints originating from external Referer headers or lacking valid WordPress nonces.
- New or modified administrator accounts, plugin installations, or option changes following an admin session.
Detection Strategies
- Audit the wp_options table and plugin-specific tables for entries containing HTML or script content within cart notice fields.
- Review web server access logs for POST requests to /wp-admin/admin.php or admin-post.php referencing the plugin slug from off-domain referrers.
- Compare the installed plugin version against 1.2.10 and flag any site running an affected build.
Monitoring Recommendations
- Enable a web application firewall ruleset that inspects WordPress admin requests for missing or invalid _wpnonce parameters.
- Forward WordPress and webserver logs to a centralized analytics platform and alert on anomalous administrator-initiated configuration changes.
- Monitor browser-side errors and Content Security Policy (CSP) violation reports for unexpected inline script execution on storefront pages.
How to Mitigate CVE-2025-60171
Immediate Actions Required
- Update Conditional Cart Messages for WooCommerce to a version later than 1.2.10 as soon as the vendor publishes a fix.
- If no patched version is available, deactivate and remove the plugin until remediation is released.
- Force a password reset and invalidate active sessions for all WordPress administrator accounts on affected sites.
Patch Information
The advisory tracked by the Patchstack Vulnerability Report covers all versions up to and including 1.2.10. Site administrators should monitor the YourPlugins.com vendor channel and the WordPress.org plugin page for an updated release that introduces CSRF nonce validation and input sanitization on the affected handlers.
Workarounds
- Restrict /wp-admin/ access by source IP at the reverse proxy or firewall layer to reduce CSRF exposure.
- Deploy a WAF rule that rejects WordPress admin POST requests missing a valid _wpnonce parameter or carrying an off-site Referer.
- Enforce a strict Content Security Policy that disallows inline scripts on storefront pages to limit stored XSS impact.
- Instruct administrators to use a separate browser profile for WordPress administration and to log out of admin sessions when not in use.
# Example: block off-site POSTs to WordPress admin endpoints (nginx)
map $http_referer $wp_admin_offsite {
default 1;
"~*^https?://your-site\.example/" 0;
}
location ~ ^/wp-admin/(admin\.php|admin-post\.php|options\.php) {
if ($request_method = POST) {
if ($wp_admin_offsite) { return 403; }
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
