CVE-2025-64200
📋 TL;DR
This stored XSS vulnerability in VillaTheme's Email Template Customizer for WooCommerce plugin allows attackers to inject malicious scripts into email templates. When administrators view or edit these templates, the scripts execute in their browser context. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- VillaTheme Email Template Customizer for WooCommerce
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, perform actions as administrators, install backdoors, or redirect users to malicious sites.
Likely Case
Attackers inject malicious scripts into email templates that execute when administrators manage templates, potentially stealing credentials or performing limited administrative actions.
If Mitigated
With proper input validation and output encoding, malicious scripts would be neutralized before execution, preventing exploitation.
🎯 Exploit Status
Requires authenticated access (contributor or higher) to inject malicious scripts into email templates.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 1.2.17
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Email Template Customizer for WooCommerce'. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patched
wp plugin deactivate email-template-customizer-for-woo
🧯 If You Can't Patch
- Restrict user roles: Only grant contributor or higher access to trusted users
- Implement WAF rules to block XSS payloads in email template content
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins > Installed PluginsCheck Version:
wp plugin get email-template-customizer-for-woo --field=versionVerify Fix Applied:
Verify plugin version is greater than 1.2.17📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to email template endpoints
- Suspicious script tags in email template content
Network Indicators:
- Unexpected JavaScript execution in admin panel
- Outbound connections to suspicious domains from admin sessions
SIEM Query:
source="wordpress" AND (uri_path="/wp-admin/admin.php?page=etp-woo" OR plugin="email-template-customizer-for-woo") AND (payload CONTAINS "<script>" OR payload CONTAINS "javascript:")