CVE-2025-46438

The GTDB Guitar Tuners plugin for WordPress (versions through 4.2.2) contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This allows an attacker to inject arbitrary JavaScript or HTML that is stored on the server and later executed in the browsers of visitors.

Exploitation requires an authenticated user with at least contributor-level privileges to submit crafted input through a plugin feature, such as tuner settings or custom content fields [1]. While user interaction (e.g., clicking a link) is needed to trigger the initial injection, the stored payload then executes automatically for any subsequent visitor viewing the affected page.

Successful exploitation enables an attacker to inject malicious scripts that can perform actions like redirecting users to phishing sites, displaying unwanted advertisements, or stealing session cookies [1]. The advisory notes that this type of vulnerability is frequently used in mass-exploit campaigns targeting thousands of WordPress sites.

As a mitigation, users should immediately update the plugin to a version newer than 4.2.2. If updating is not possible, the advisory recommends contacting a hosting provider or web developer for assistance [1].