CVE-2025-46502

Root

Cause

The LSD Custom taxonomy and category meta WordPress plugin versions up to 1.3.2 are vulnerable to Cross-Site Request Forgery (CSRF) that leads to Stored Cross-Site Scripting (XSS). The plugin fails to properly neutralize input during web page generation while also lacking CSRF protections, allowing an attacker to trick a privileged user into performing unintended actions [1].

Exploitation

Exploitation requires user interaction—an authenticated administrator or other privileged user must click a malicious link, visit a crafted page, or submit a form. The attack does not require the attacker to have any special privileges; they only need to craft a request that, when executed by the victim, modifies plugin settings or taxonomy meta fields to inject malicious scripts [1].

Impact

Successful exploitation allows an attacker to force higher-privileged users (such as admins) to execute unwanted actions under their current authentication session. Since the injected script is stored, it can execute in the context of the admin panel, leading to further compromise, data theft, or site defacement [1].

Mitigation

The vulnerability is present in all versions up to and including 1.3.2. Users are strongly advised to update the plugin to the latest patched version immediately. If an update is not available, the plugin should be temporarily disabled, or the site owner should seek assistance from a hosting provider or developer. This type of vulnerability is known to be used in mass-exploit campaigns targeting WordPress sites [1].