CVE-2025-1486

CVE-2025-2025-1486, published on 2025-03-13, is a reflected cross-site scripting (XSS) vulnerability in the WoWPth WordPress plugin through version 2.0. The plugin fails to sanitize and escape a parameter before outputting it back in the page, enabling attackers to inject malicious scripts. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) and maps to CWE-79 (Improper Neutralization of Input During Web Page Generation).

An unauthenticated attacker can exploit this over the network with low complexity by tricking a high-privilege user, such as an administrator, into interacting with a malicious link or page (UI:R). Upon success, arbitrary JavaScript executes in the victim's browser context with changed scope (S:C), potentially leading to low-level impacts on confidentiality, integrity, and availability, such as session hijacking or unauthorized actions as the targeted user.

The WPScan advisory at https://wpscan.com/vulnerability/182ecda8-3385-4f9f-a917-efdeb237247c/ provides additional details on this vulnerability, including potential mitigation steps.