CVE-2025-1289: 
WordPress vulnerability analysis and mitigation

The Plugin Oficial WordPress plugin through version 1.7.3 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-1289. The vulnerability was discovered on January 2, 2025, and publicly disclosed on March 7, 2025. This security issue affects the Getnet para WooCommerce plugin, specifically versions prior to 1.8.1 (WPScan).

The vulnerability stems from improper sanitization and escaping of plugin settings. This security flaw allows high-privilege users, such as administrators, to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed, which is particularly concerning in multisite setups. The vulnerability has been assigned a CVSS score of 3.5 (low severity) and is classified under CWE-79 (WPScan).

When exploited, this vulnerability allows privileged users to inject malicious JavaScript code into the plugin's settings pages. The stored XSS payload would then execute when other administrators access the affected pages, potentially leading to unauthorized actions performed under the victim's account context (WPScan).

The vulnerability has been patched in version 1.8.1 of the Plugin Oficial WordPress plugin. Users are strongly advised to update to this version or later to mitigate the security risk (WPScan).