Attack Vectors

Premmerce WooCommerce Customers Manager (WordPress plugin slug: woo-customers-manager) is affected by a Medium-severity reflected cross-site scripting (XSS) vulnerability (CVE-2025-13369, CVSS 6.1).

The attack is carried out by sending a crafted link (or request) containing malicious script code in specific URL parameters: money_spent_from, money_spent_to, registered_from, and registered_to. Because this is reflected XSS, the malicious code executes when an administrator or other privileged user clicks the link and loads the affected page.

No authentication is required for the attacker to create and distribute the malicious link, but the attacker typically needs to successfully trick an administrator into clicking it (for example, via phishing email, a fake support request, or a message that appears to reference a legitimate customer or order inquiry).

Security Weakness

The underlying issue is insufficient input sanitization and output escaping for the affected parameters. In practical terms, user-supplied data can be reflected back into an administrative page without being properly cleaned or safely displayed, creating an opportunity for browser-executed script injection.

According to the published advisory, this vulnerability impacts all versions up to and including 1.1.14 of Premmerce WooCommerce Customers Manager.

Technical or Business Impacts

While rated Medium, reflected XSS can have outsized business consequences because it targets the people who have the most powerful access. If an admin’s browser executes attacker-controlled scripts, potential outcomes include unauthorized actions performed in the admin’s session, manipulation of page content, or collection of sensitive information visible to that user.

For marketing leaders and executives, the key risks include loss of trust (site defacement or unexpected behavior), privacy and compliance exposure (if customer data is accessed through an admin session), and operational disruption (time spent investigating, cleaning, and communicating with stakeholders). This can also lead to secondary costs such as incident response, legal review, and increased customer support volume.

Recommended remediation: update Premmerce WooCommerce Customers Manager to version 1.1.15 or a newer patched version. As a near-term risk reducer, limit who has admin access, reinforce phishing awareness (since user interaction is required), and ensure monitoring is in place for unusual admin activity.

Similar Attacks

Reflected XSS has repeatedly been used to compromise administrative sessions and perform unauthorized actions. Examples include:

Adobe Flash Player XSS-related security issues (CISA alert)
CVE-2018-8174 (Internet Explorer scripting engine memory corruption used in targeted attacks; often paired with web-script delivery techniques)
WordPress hardening guidance (common mitigations against script injection and admin compromise)

For reference, the CVE record for this issue is available here: CVE-2025-13369, and the advisory source is: Wordfence vulnerability report.