CVE-2025-27355
Published: 24 February 2025
Summary
CVE-2025-27355 is a high-severity CSRF (CWE-352) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-27355 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the WooCommerce – Loi Hamon WordPress plugin developed by Nicolas GRILLET. The flaw enables Stored XSS and affects all versions from n/a through 1.1.0, as documented in the plugin's vulnerability profile.
Attackers without privileges can exploit this over the network with low attack complexity, though it requires user interaction and results in a changed scope. Successful exploitation via CSRF allows injection of Stored XSS payloads, leading to low impacts on confidentiality, integrity, and availability, with an overall CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).
The Patchstack advisory provides further details on the vulnerability, including assessment and recommended mitigations, accessible at https://patchstack.com/database/Wordpress/Plugin/loi-hamon/vulnerability/wordpress-woocommerce-loi-hamon-plugin-1-1-0-csrf-to-stored-xss-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4311
Vulnerability details
Cross-Site Request Forgery (CSRF) vulnerability in Nicolas GRILLET Woocommerce – Loi Hamon loi-hamon allows Stored XSS.This issue affects Woocommerce – Loi Hamon: from n/a through <= 1.1.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF to Stored XSS in public-facing WordPress plugin directly enables exploitation of public-facing web applications (T1190), JavaScript execution via XSS payload (T1059.007), and user interaction via malicious link for CSRF trigger (T1204.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-23 enforces session authenticity mechanisms like anti-CSRF tokens to directly prevent forged requests that exploit this CSRF vulnerability to inject stored XSS payloads.
SI-10 requires validation of information inputs to sanitize and block malicious XSS scripts from being stored via the CSRF vector in the WooCommerce plugin.
SI-2 mandates timely flaw remediation, including patching the vulnerable WooCommerce – Loi Hamon plugin versions up to 1.1.0 to eliminate the CSRF-to-stored XSS vulnerability.