Attack Vectors

CVE-2025-13974 is a Medium-severity (CVSS 4.4) Stored Cross-Site Scripting (XSS) issue in the WordPress plugin Email Customizer for WooCommerce | Drag and Drop Email Templates Builder (slug: email-customizer-for-woocommerce) affecting versions 2.6.7 and earlier.

The attack requires an authenticated user with administrator-level access (or higher). An attacker in that role can place malicious script content into WooCommerce email template content through the plugin’s customization features.

The injected script is “stored” in the template and can execute later when customers view affected transactional emails. According to the published advisory, this exposure only affects multi-site installations and installations where unfiltered_html has been disabled.

Security Weakness

The underlying weakness is insufficient input sanitization and output escaping in email template content handling. In practical terms, unsafe content can be saved into templates and later rendered in a way that allows scripts to run.

This matters for business leaders because email templates are a high-trust channel. Even if the attacker needs admin access, in multi-site environments or organizations with multiple admins, that access can be obtained through credential theft, vendor access, or internal misuse.

Technical or Business Impacts

If exploited, the customer experience can be directly impacted: malicious scripts may execute when customers view transactional emails, potentially enabling brand impersonation, misleading prompts, or content manipulation within the email experience.

From a business-risk perspective, likely impacts include reputational damage (customers receiving or viewing tampered messages), fraud and social engineering risk (customers being tricked into unsafe actions), and compliance exposure if customer data handling or communications integrity is questioned by regulators, auditors, or enterprise clients.

Recommended remediation is straightforward: update Email Customizer for WooCommerce | Drag and Drop Email Templates Builder to version 2.6.8 or newer, which includes a patch for this issue.

Similar Attacks

Stored XSS has been a recurring issue across many web platforms and plugins, often because template and content editors are attractive places to hide malicious payloads. For additional context, these public cases show how serious stored XSS can be:

CVE-2023-2745 (Stored XSS example)
CVE-2021-44223 (Stored XSS example)
CVE-2020-11022 (XSS in a widely used library)