Skip to main content

WOO Codice Fiscale CVE-2025-27275

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-03-03 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 00:52 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:29 vuln.today
CVE Published
Mar 03, 2025 - 14:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in andrew_fisher WOO Codice Fiscale allows Reflected XSS. This issue affects WOO Codice Fiscale: from n/a through 1.6.3.

AnalysisAI

Reflected cross-site scripting (XSS) in WOO Codice Fiscale WordPress plugin versions up to 1.6.3 enables remote attackers to execute arbitrary JavaScript in victim browsers when users click malicious links. The vulnerability requires user interaction (clicking a crafted URL) but no authentication, allowing attackers to steal session cookies, perform actions as the victim, or deliver malware. EPSS score of 0.09% (26th percentile) indicates low likelihood of mass exploitation. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept at time of analysis.

Technical ContextAI

WOO Codice Fiscale is a WooCommerce extension plugin that adds Italian tax code (Codice Fiscale) fields to checkout forms. The vulnerability stems from improper neutralization of user-supplied input (CWE-79) during web page generation, specifically affecting the reflected XSS category where malicious scripts embedded in URL parameters or form inputs are immediately rendered back to users without sanitization. As a WordPress plugin integrated with WooCommerce checkout workflows, the affected component likely fails to properly escape or validate query string parameters before echoing them into HTML output. The plugin processes user input related to Italian tax code validation and checkout form fields, which becomes the attack vector when crafted input containing JavaScript payloads is reflected into the page context without encoding.

Affected ProductsAI

WordPress plugin WOO Codice Fiscale versions from earliest release through version 1.6.3 are confirmed vulnerable, as documented in Patchstack vulnerability database entry. The plugin is developed by andrew_fisher and available through the WordPress.org plugin repository for WooCommerce installations. All WordPress sites running WooCommerce with this plugin installed at version 1.6.3 or earlier should be considered affected. No CPE identifiers were provided in the available data. Vendor advisory and detailed vulnerability analysis available at https://patchstack.com/database/wordpress/plugin/woo-codice-fiscale/vulnerability/wordpress-woo-codice-fiscale-plugin-1-6-3-reflected-cross-site-scripting-xss-vulnerability.

RemediationAI

Update WOO Codice Fiscale plugin to a version newer than 1.6.3 once a patched release becomes available from the plugin author or WordPress.org repository. Monitor the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/woo-codice-fiscale/vulnerability/wordpress-woo-codice-fiscale-plugin-1-6-3-reflected-cross-site-scripting-xss-vulnerability for patch release notifications and verification of fixed versions. As an interim mitigation if no patch is immediately available, consider temporarily disabling the WOO Codice Fiscale plugin if Italian tax code functionality is not critical to business operations, though this will remove Codice Fiscale fields from checkout and may impact compliance for Italian customers. Alternatively, implement Web Application Firewall (WAF) rules to filter suspicious query parameters containing script tags or JavaScript event handlers targeting the plugin's endpoints, though this approach requires careful tuning to avoid blocking legitimate checkout transactions. Deploy Content Security Policy (CSP) headers with 'script-src self' directives to limit execution of inline scripts and reduce XSS impact, noting this may interfere with other WordPress plugins or themes relying on inline JavaScript. Educate site administrators and customer service staff to recognize and avoid clicking suspicious URLs containing unusual query parameters, as user interaction is required for exploitation.

Share

CVE-2025-27275 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy