{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13137", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-13T18:36:14.347Z", "datePublished": "2025-12-06T05:49:21.512Z", "dateUpdated": "2026-04-08T16:37:46.602Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:46.602Z"}, "affected": [{"vendor": "delabon", "product": "Live Sales Notification for Woocommerce \u2013 Woomotiv", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.6.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Live Sales Notification for Woocommerce \u2013 Woomotiv plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'woomotiv_limit' parameter in all versions up to, and including, 3.6.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "title": "Live Sales Notification for Woocommerce \u2013 Woomotiv <= 3.6.3 - Reflected Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/19257e49-addb-4882-af5f-8de0d90a4a86?source=cve"}, {"url": "https://wordpress.org/plugins/woomotiv/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "timeline": [{"time": "2025-12-05T17:44:31.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-08T20:54:54.206258Z", "id": "CVE-2025-13137", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-08T20:55:14.373Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13137", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-08T20:54:54.206258Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-08T20:55:07.288Z"}}], "cna": {"title": "Live Sales Notification for Woocommerce \u2013 Woomotiv <= 3.6.3 - Reflected Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Nur Ibnu Hubab"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "delabon", "product": "Live Sales Notification for Woocommerce \u2013 Woomotiv", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "3.6.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-05T17:44:31.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/19257e49-addb-4882-af5f-8de0d90a4a86?source=cve"}, {"url": "https://wordpress.org/plugins/woomotiv/"}], "descriptions": [{"lang": "en", "value": "The Live Sales Notification for Woocommerce \u2013 Woomotiv plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'woomotiv_limit' parameter in all versions up to, and including, 3.6.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-06T05:49:21.512Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13137", "state": "PUBLISHED", "dateUpdated": "2025-12-08T20:55:14.373Z", "dateReserved": "2025-11-13T18:36:14.347Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-06T05:49:21.512Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Live Sales Notification for Woocommerce \u2013 Woomotiv plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'woomotiv_limit' parameter in all versions up to, and including, 3.6.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."}], "id": "CVE-2025-13137", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-12-06T06:15:51.067", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/woomotiv/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/19257e49-addb-4882-af5f-8de0d90a4a86?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T20:53:57.410204+00:00", "value": {"mitigation_remediation": ["Update the Live Sales Notification for WooCommerce - Woomotiv plugin to version 3.6.4 or later to remove the vulnerability.", "If an update is not immediately possible, uninstall the plugin to eliminate the risk.", "As a temporary measure, block or sanitize any request containing the woomotiv_limit parameter using a web application firewall or by enforcing a strict content\u2011security\u2011policy that prevents execution of user\u2011supplied scripts."], "summary": {"action": "Apply Patch", "impact": "Reflected Cross\u2011Site Scripting enabling arbitrary script execution"}, "threat_synthesis": {"affected_systems": "All releases of the Live Sales Notification for WooCommerce - Woomotiv plugin dated up to and including version 3.6.3 are affected. The product is a WordPress plugin used by site administrators to display real\u2011time sales notifications.", "description_and_impact": "The Live Sales Notification for WooCommerce - Woomotiv plugin is vulnerable to reflected cross\u2011site scripting via the woomotiv_limit parameter. The parameter is not properly sanitized or escaped before being rendered in a page, allowing an unauthenticated attacker to inject arbitrary JavaScript that will run when a user follows a crafted link. Based on the description, the likely attack vector involves an attacker tricking a user into clicking a URL that includes the vulnerable woomotiv_limit value.", "risk_and_exploitability": "The CVSS score of 6.1 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation. The flaw is not present in the CISA KEV catalog, yet it can be leveraged if an attacker persuades a user to click a malicious link containing the vulnerable woomotiv_limit parameter. Based on the description, the likely attack vector is a phishing\u2011style link that includes crafted input, requiring the victim to click in order to trigger the reflected XSS."}}}}, "created": "2025-12-08T09:39:34.609124+00:00", "updated": "2026-04-22T21:00:06.364784+00:00", "vendors": ["delabon", "delabon$PRODUCT$woomotiv", "woocommerce", "woocommerce$PRODUCT$woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}