CVE-2025-46491

Vulnerability

Overview The Multi-Column Taxonomy List plugin for WordPress, versions 1.5 and earlier, contains a stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of input during web page generation [1]. This flaw stems from insufficient sanitization of user-supplied data before it is stored and later rendered in the admin interface or frontend.

Exploitation

Conditions Exploitation requires an authenticated user with at least contributor-level privileges to inject malicious scripts via the plugin's input fields [1]. The attack does not require high privileges but does rely on the stored payload being executed when an administrator or other privileged user subsequently views the affected page. This user interaction is necessary for the XSS to trigger.

Impact

A successful attack allows the threat actor to inject arbitrary HTML and JavaScript payloads, which may lead to redirects, ad injection, or other malicious actions when visitors access the compromised site [1]. Such vulnerabilities are commonly targeted in mass exploitation campaigns against WordPress sites.

Mitigation

The vendor has not released a patched version for this plugin; users are advised to update if available or apply a workaround such as disabling the plugin and using a web application firewall to block malicious input [1].