A high-severity vulnerability has been identified in multiple NikanWP products, specifically within the WooCommerce Reporting wc-reports-lite component. This flaw allows an attacker to trick an authenticated administrator into unknowingly executing malicious actions, which can lead to the injection of persistent malicious code into the website. Successful exploitation could result in the compromise of administrator and user accounts, theft of sensitive customer data, and a complete takeover of the affected website's functionality.

The vulnerability is a Cross-Site Request Forgery (CSRF) that leads to Stored Cross-Site Scripting (XSS). The wc-reports-lite component lacks sufficient CSRF protection, such as security nonces, on functions that save data. An attacker can craft a malicious link or web page and trick a logged-in administrator into clicking it. When the administrator interacts with the malicious link, their browser automatically sends a forged request to the vulnerable website, which the application trusts and processes. This forged request can contain a malicious script payload that gets stored in the website's database (e.g., within a report's settings or data). This stored script will then execute in the browser of any user, including other administrators, who views the compromised page, leading to potential session hijacking or further attacks.

This vulnerability is rated as High severity with a CVSS score of 8.8, posing a significant risk to the business. Successful exploitation could lead to severe consequences, including the theft of sensitive customer data from WooCommerce, such as names, addresses, and order histories, resulting in regulatory fines (e.g., GDPR, PCI-DSS) and legal action. Attackers could also compromise administrator accounts, allowing them to deface the website, install backdoors, or pivot to other systems within the network. The resulting reputational damage and loss of customer trust could lead to substantial financial losses.

Immediate Action: Immediately apply the security updates provided by the vendor, NikanWP, to all affected products. Prioritize patching internet-facing systems. After patching, review web server and application access logs for any unusual activity or requests directed at the wc-reports-lite endpoints that may indicate a compromise or an exploitation attempt.

Proactive Monitoring: Configure monitoring systems to alert on suspicious activity. This includes scrutinizing logs for unexpected POST requests to administrative endpoints, particularly those related to the reporting plugin. Implement Web Application Firewall (WAF) rules to detect and block common XSS and CSRF attack patterns. Monitor website pages for any unauthorized modifications or the presence of unexpected script tags.

Compensating Controls: If immediate patching is not feasible, implement compensating controls to reduce risk. Restrict access to the website's administrative dashboard to trusted IP addresses only. Enforce the use of a robust Web Application Firewall (WAF) with rules specifically designed to block XSS and CSRF attacks. Ensure Multi-Factor Authentication (MFA) is enabled for all administrative accounts to mitigate the risk of account takeover even if session tokens are compromised.

Public Exploit Available: false

Given the high CVSS score of 8.8 and the direct threat to sensitive customer data and administrative control, this vulnerability requires immediate attention. We strongly recommend that all organizations using the affected NikanWP products apply the vendor-supplied patches as the highest priority action. Although this CVE is not currently listed on the CISA KEV catalog, its potential for significant business disruption warrants treating it with the same level of urgency as a known exploited vulnerability. Patching should be followed by a thorough review of system logs to ensure no compromise has already occurred.