CVE-2025-46234
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Habibur Rahman Razib Control Listings control-listings allows Reflected XSS.This issue affects Control Listings: from n/a through <= 1.0.4.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in WordPress Control Listings plugin (<=1.0.4.1) allows script injection via crafted requests, requiring user interaction.
The Control Listings plugin for WordPress versions up to and including 1.0.4.1 is vulnerable to Reflected Cross-Site Scripting (XSS) due to improper neutralization of input during web page generation [1]. This means that user-supplied data is not properly sanitized before being reflected in the output, allowing an attacker to inject arbitrary HTML and JavaScript code.
Exploitation requires a privileged user (e.g., an administrator) to interact with a malicious link, crafted page, or form [1]. The attack can be initiated by an unauthenticated attacker who sends a crafted URL to a logged-in administrator. When the administrator clicks the link, the injected script executes in their browser context.
Successful exploitation could allow an attacker to inject malicious scripts, such as redirects, advertisements, and other HTML payloads, which are executed when other users visit the affected site [1]. This could lead to session hijacking, defacement, or malware distribution.
The vulnerability is patched in version 1.0.5. Users are advised to update immediately [1]. As an interim measure, Patchstack offers a mitigation rule to block attacks until the plugin is updated [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.