CVE-2025-46448

Vulnerability

Overview

The WordPress Document Management System plugin (dms) versions up to and including 1.24 contain a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of input during web page generation [1]. This means the plugin fails to sanitize user-supplied data before echoing it back in a response, allowing an attacker to inject arbitrary JavaScript or HTML.

Exploitation

Exploitation requires user interaction—a privileged user must click a crafted link or submit a specially formed request [1]. The attacker does not need any prior authentication; the vulnerability can be triggered by an unauthenticated user sending a malicious link to a victim with access to the WordPress admin panel. Because the flaw is reflected, the injected payload is executed in the context of the victim's browser session.

Impact

If successfully exploited, an attacker can inject malicious scripts that may redirect visitors, display advertisements, or steal session cookies and other sensitive data [1]. The CVSS v3 base score is 7.1 (High), and the vulnerability is considered moderately dangerous. It is expected to be used in mass-exploit campaigns, targeting thousands of websites regardless of their traffic size [1].

Mitigation

The vendor has not released a patched version as of the publication date. The recommended immediate action is to update the plugin once a patch becomes available [1]. In the meantime, users can apply a virtual mitigation rule from Patchstack to block attacks or contact their hosting provider for assistance [1].