CVE-2025-23493

Vulnerability

Overview The Google Transliteration plugin for WordPress versions 1.7.2 and below contains a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This allows an attacker to inject arbitrary HTML and JavaScript into the response.

Exploitation

Details An attacker can exploit this by crafting a malicious URL containing the payload and tricking a privileged user (such as an administrator) into clicking it. No authentication is required from the attacker, but successful exploitation depends on user interaction [1]. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns targeting thousands of websites.

Impact

If exploited, the attacker can execute arbitrary scripts in the context of the victim's browser, potentially leading to redirects, advertisement injection, data theft, or further compromise of the WordPress site [1].

Mitigation

Users are advised to update the plugin to the latest patched version immediately. If an update is not yet available, applying a virtual patch or mitigation rule, such as the one provided by Patchstack, can block attacks until an official fix is deployed [1].