CVE-2025-46518

Vulnerability

Overview

The IGIT Related Posts With Thumb Image After Posts plugin for WordPress (versions up to and including 4.5.3) contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of input during web page generation. This flaw allows an authenticated attacker with the required privileges to inject arbitrary web scripts or HTML into posts [1].

Exploitation

Details

To exploit this vulnerability, an attacker must have a privileged user role in the WordPress site. The attack requires user interaction, such as clicking a malicious link or visiting a crafted page, to trigger the stored payload. Once injected, the malicious script is stored on the server and executed when other users (including site visitors) access the affected page [1].

Impact

Successful exploitation enables an attacker to execute arbitrary HTML and JavaScript in the context of the victim's browser. This can be used to redirect users to malicious sites, display unauthorized advertisements, steal session cookies, or perform other malicious actions within the affected site's domain [1].

Mitigation

The vendor recommends updating the plugin to a patched version as soon as it becomes available. In the interim, users can apply a virtual mitigation rule from Patchstack to block exploitation attempts. Site administrators should also review active user permissions to ensure that only trusted users have the necessary privilege level to exploit this vulnerability [1].