CVE-2025-46495

The Drop Caps plugin for WordPress, versions 2.1 and earlier, contains a Cross-Site Request Forgery (CSRF) vulnerability that can lead to Stored Cross-Site Scripting (XSS). The root cause is the lack of CSRF protection on certain administrative actions, allowing an attacker to trick a privileged user into performing unintended operations. This flaw is documented in the Patchstack advisory [1].

Exploitation requires user interaction: a privileged user (such as an administrator) must be tricked into clicking a malicious link, visiting a crafted page, or submitting a form while authenticated. The attacker does not need direct access to the site but can craft a request that, when executed by the victim, modifies plugin settings or injects malicious scripts. The vulnerability is particularly dangerous because it can be chained with stored XSS, enabling persistent payloads [1].

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking, defacement, or further compromise of the WordPress site. The CVSS score of 6.5 (Medium) reflects the need for user interaction and the potential impact on confidentiality, integrity, and availability [1].

As a mitigation, users should update the Drop Caps plugin to a patched version if available. If an update is not possible, immediate action is recommended, such as disabling the plugin or seeking assistance from a hosting provider or web developer. This vulnerability is noted as being used in mass-exploit campaigns, underscoring the urgency of remediation [1].