CVE-2025-13369
📋 TL;DR
The Premmerce WooCommerce Customers Manager plugin for WordPress is vulnerable to reflected cross-site scripting (XSS) via specific filter parameters. Unauthenticated attackers can inject malicious scripts that execute when administrators click specially crafted links, potentially compromising admin sessions and site security. All WordPress sites using this plugin up to version 1.1.14 are affected.
💻 Affected Systems
- Premmerce WooCommerce Customers Manager for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Administrator account takeover leading to full WordPress site compromise, data theft, malware installation, or complete site defacement.
Likely Case
Session hijacking of administrator accounts, leading to unauthorized access to sensitive customer data and plugin/theme modifications.
If Mitigated
Script execution blocked by browser security features or Content Security Policy, resulting in no impact.
🎯 Exploit Status
Exploitation requires social engineering to trick administrators into clicking malicious links. No authentication required to trigger the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.15 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'WooCommerce Customers Manager' and click 'Update Now'. 4. Verify update to version 1.1.15 or higher.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the WooCommerce Customers Manager plugin until patched.
wp plugin deactivate woo-customers-manager
Implement Content Security Policy
allAdd CSP headers to block inline script execution and restrict script sources.
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Or configure via WordPress security plugin
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads in URL parameters
- Educate administrators about phishing risks and implement link validation procedures
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins. If version is 1.1.14 or lower, you are vulnerable.Check Version:
wp plugin get woo-customers-manager --field=versionVerify Fix Applied:
After updating, verify plugin version shows 1.1.15 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual GET requests containing script tags in money_spent_from, money_spent_to, registered_from, or registered_to parameters
- Multiple failed login attempts following suspicious URL accesses
Network Indicators:
- HTTP requests with JavaScript payloads in URL parameters to admin-ajax.php or plugin endpoints
SIEM Query:
source="web_logs" AND (uri="*money_spent_from=*<script>*" OR uri="*money_spent_to=*<script>*" OR uri="*registered_from=*<script>*" OR uri="*registered_to=*<script>*")🔗 References
- https://plugins.trac.wordpress.org/browser/woo-customers-manager/tags/1.1.14/src/Admin/Admin.php#L135
- https://plugins.trac.wordpress.org/browser/woo-customers-manager/tags/1.1.14/views/admin/filter.php#L43
- https://plugins.trac.wordpress.org/browser/woo-customers-manager/trunk/src/Admin/Admin.php#L135
- https://plugins.trac.wordpress.org/browser/woo-customers-manager/trunk/views/admin/filter.php#L43
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9980ec20-60ae-42eb-a2cd-146e57435398?source=cve
