CVE-2025-46478

The WordPress Dropdown Content plugin, versions 1.0.2 and earlier, contains a stored cross-site scripting (XSS) vulnerability arising from improper neutralization of user input during webpage generation [1]. This allows an authenticated attacker with sufficient privileges to inject arbitrary HTML and JavaScript code into the plugin's output, where it is stored on the server and subsequently rendered in the browsers of site visitors [1].

Exploitation requires the attacker to have a role capable of inserting or editing content that passes through the vulnerable plugin component, and a privileged user (such as an admin) may need to perform an action like visiting a crafted page or clicking a malicious link to store the payload [1]. Once stored, the injected script executes automatically when any user views the affected page, without further interaction from the victim [1].

The impact of successful exploitation includes the execution of arbitrary script code in the context of the target user's browser, which can be used to redirect visitors, display advertisements, steal session cookies, or deface the site [1]. The vulnerability carries a CVSS v3 base score of 7.1, indicating high severity [1].

Users are strongly advised to update the Dropdown Content plugin to a patched version as soon as possible [1]. If an update is not available, those unable to upgrade should seek assistance from their hosting provider or web developer to implement temporary mitigation measures [1].