CVE-2025-46487

Vulnerability

Overview CVE-2025-46487 is a reflected Cross-Site Scripting (XSS) vulnerability found in the EC Authorize.net plugin for WordPress, affecting versions from 0.0.0 through 0.3.3. The root cause is improper neutralization of user-supplied input during web page generation, enabling an attacker to inject malicious scripts that are reflected back to the user's browser [1].

Exploitation

Details Exploitation requires user interaction — a privileged user, such as an administrator, must click a specially crafted link or visit a maliciously constructed page. No prior authentication for the attacker is specified; the attack is remote and can be launched against any website running the vulnerable plugin. The reflected nature means the payload is executed immediately in the context of the victim's session, bypassing same-origin protections [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, redirection to malicious sites, defacement, or theft of sensitive information. Given that this vulnerability is expected to be used in mass-exploit campaigns, it poses a significant risk to all affected WordPress installations, regardless of size or popularity [1].

Mitigation

No official patch is available for versions up to 0.3.3. Patchstack has released a mitigation rule to block attacks until an update is applied. The immediate recommended action is to update the plugin to a patched version if available, or alternatively, seek assistance from a hosting provider or web developer to implement a virtual patch or disable the plugin [1].