CVE-2025-1303 Scanner

The Plugin Oficial - Getnet para WooCommerce is utilized by online merchants who are ready to expand their payment options within their WordPress WooCommerce store. The plugin allows them to integrate Getnet's payment gateway services effectively into their online shops, ensuring a seamless transaction process for their customers. Merchants rely on it to handle diverse payment methods, ensuring flexibility in customer transactions. Businesses of all sizes use this plugin for its convenience and wide-ranging compatibility with different payment methods. It is particularly beneficial for businesses that operate globally and need to provide multiple currency options to maximize their customer base. The plugin is designed to be user-friendly, allowing smooth integration even for those without extensive technical background.

Cross-Site Scripting (XSS) is a vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. The Plugin Oficial - Getnet para WooCommerce versions up to 1.8.0 are susceptible to such attacks due to inadequate input sanitization. If an unauthenticated attacker can trick a user into clicking a specially crafted link, they can execute arbitrary web scripts in the user's browser context. The scripts may steal sensitive data or perform actions on behalf of the user without their consent. XSS vulnerabilities represent a significant security risk as they can compromise the integrity and confidentiality of user interactions with the vulnerable site. It is critically essential for plugin users to patch this vulnerability to safeguard user trust and data integrity.

The vulnerability resides in the 'page' parameter of the plugin, which does not adequately sanitize input data. Malicious payloads can be crafted using this parameter to execute arbitrary scripts when a page, containing the crafted link, is loaded in a user's browser. The specific endpoint vulnerable to this attack is located in the privacy-policy.php page under the /wp-content/plugins/wc-checkout-getnet/views/partials/settings/ directory. Attackers can use this vulnerability by embedding a harmful script within the 'page' parameter, which gets executed in a user's browser when accessed. A session may be hijacked, or user data might be stolen, directly affecting the integrity of personal information and potentially leading to exploitation across the user's interactions. Systems relying on such flawed implementations are vulnerable until a secure version is deployed.

Exploitation of this vulnerability can lead to several adverse effects. Users interacting with the vulnerable page may have their session data compromised, potentially leading to unauthorized actions performed in their name. Sensitive information, like authentication details and personal data, could be harvested by attackers, leading to privacy breaches. Furthermore, the exploitation may result in the installation of malicious software, utilizing the hijacked browser as a springboard for broader attacks. These actions can damage the trust and goodwill of customers using the affected WooCommerce store, impacting its reputation and potentially leading to loss of revenue. Businesses may also face legal challenges if compromised sessions lead to data breaches violating user privacy protections.

REFERENCES

• https://nvd.nist.gov/vuln/detail/CVE-2025-1303