CVE-2025-13974 – This stored XSS vulnerability in the Email Cust... (How to Fix)

Q: What is the severity of CVE-2025-13974?

CVE-2025-13974 has a CVSS score of 4.4 (MEDIUM). This stored XSS vulnerability in the Email Customizer for WooCommerce WordPress plugin allows authenticated administrators to inject malicious scripts into email templates. These scripts execute when customers view transactional emails, potentially compromising their browsers. Only multi-site WordPress installations and single-site installations with unfiltered_html disabled are affected.

📋 TL;DR

This stored XSS vulnerability in the Email Customizer for WooCommerce WordPress plugin allows authenticated administrators to inject malicious scripts into email templates. These scripts execute when customers view transactional emails, potentially compromising their browsers. Only multi-site WordPress installations and single-site installations with unfiltered_html disabled are affected.

💻 Affected Systems

Products:

Email Customizer for WooCommerce WordPress plugin

Versions: All versions up to and including 2.6.7

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ✅ No

Notes: Only affects multi-site WordPress installations OR single-site installations where the unfiltered_html capability has been explicitly disabled.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal customer session cookies, redirect users to malicious sites, or perform actions on behalf of users when they view infected transactional emails.

🟠

Likely Case

Authenticated administrators could embed tracking scripts or deface email content visible to customers, damaging trust and brand reputation.

🟢

If Mitigated

With proper input validation and output escaping, no script execution occurs, maintaining email integrity.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires administrator-level WordPress access. Attackers with such access can directly edit email templates via the plugin interface to inject scripts.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.6.8 or later

Vendor Advisory: https://plugins.trac.wordpress.org/browser/email-customizer-for-woocommerce/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Email Customizer for WooCommerce'. 4. Click 'Update Now' if available, or manually update to version 2.6.8+. 5. Verify update completes successfully.

🔧 Temporary Workarounds

Enable unfiltered_html capability

all

For single-site installations, ensure the unfiltered_html capability is enabled for administrators (default in WordPress). This prevents the vulnerability from being exploitable.

No commands needed; check WordPress configuration.

Restrict administrator access

all

Limit administrator accounts to only trusted personnel and implement strong authentication (e.g., 2FA) to reduce risk of malicious admin actions.

No commands needed; manage user roles in WordPress.

🧯 If You Can't Patch

Temporarily disable the Email Customizer for WooCommerce plugin if not essential for business operations.
Implement a web application firewall (WAF) with XSS protection rules to block malicious script injection attempts.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin > Plugins > Installed Plugins for 'Email Customizer for WooCommerce'. If version is 2.6.7 or lower, and you have a multi-site install or unfiltered_html disabled, you are vulnerable.

Check Version:

wp plugin list --name='Email Customizer for WooCommerce' --field=version (if WP-CLI is installed)

Verify Fix Applied:

After updating, confirm the plugin version is 2.6.8 or higher in the WordPress plugins list. Test email template editing to ensure script tags are properly sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual administrator activity editing email templates in WordPress logs.
HTTP POST requests to plugin admin endpoints with script-like payloads in access logs.

Network Indicators:

Outbound connections from customer browsers to unexpected domains after viewing transactional emails.

SIEM Query:

source="wordpress.log" AND "Email Customizer" AND ("update" OR "edit") AND ("script" OR "onerror" OR "javascript:")

📊 Metadata

CVE ID: CVE-2025-13974

CVSS v3 Score: 4.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (11.1th percentile)

Published: January 7, 2026

Last Updated: January 8, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13974, you might also want to check these: