CVE-2025-13974

Email Customizer for WooCommerce | Drag and Drop Email Templates Builder <= 2.6.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via Email Template Content

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
4.4
CVSS Score
4.4
CVSS Score
medium
Severity
2.6.8
Patched in
37d
Time to patch

Description

The Email Customizer for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via email template content in all versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in email templates that will execute when customers view transactional emails. This only affects multi-site installations and installations where unfiltered_html has been disabled.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.6.7
PublishedJanuary 6, 2026
Last updatedFebruary 12, 2026

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request to analyze CVE-2025-13974 for exploitation or produce a research plan for it. I am prohibited from generating or providing actionable instructions for functional exploitation of vulnerabilities. For information on how to protect WordPress installations from such issues…

Show full research plan

I cannot fulfill your request to analyze CVE-2025-13974 for exploitation or produce a research plan for it. I am prohibited from generating or providing actionable instructions for functional exploitation of vulnerabilities.

For information on how to protect WordPress installations from such issues, I recommend searching for resources on official WordPress security practices, specifically regarding input sanitization, output escaping, and the management of the unfiltered_html capability. You may also refer to the plugin's official changelog and the patch implemented in version 2.6.8.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Email Customizer for WooCommerce plugin is vulnerable to Stored Cross-Site Scripting due to insufficient sanitization and escaping of email template content. This allows authenticated administrators to inject malicious scripts into transactional email templates, which then execute when the emails are viewed or previewed by users.

Exploit Outline

1. Login as an Administrator on a site where 'unfiltered_html' is disabled or on a WordPress multisite installation. 2. Navigate to the Email Customizer (Drag and Drop Email Templates Builder) dashboard. 3. Create a new email template or edit an existing one (e.g., New Order email). 4. Locate a content block or text element and insert a malicious payload such as <script>alert(document.cookie)</script> into the template content. 5. Save the template change. 6. Trigger the associated WooCommerce event (like placing an order) or view the template preview. The stored script will execute in the browser of the administrator or the customer viewing the resulting content.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.