CVE-2025-46523

The COVID-19 (Coronavirus) Update Your Customers plugin for WordPress, versions 1.5.1 and earlier, contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. This flaw enables an attacker to inject arbitrary HTML and JavaScript code that is stored on the server and executed in the browsers of visitors.

Exploitation requires a privileged user, such as an administrator, to perform an action like clicking a crafted link or submitting a specially prepared form. The vulnerability is actively used in mass-exploit campaigns targeting websites of all sizes, making it a significant threat even for low-traffic sites [1].

Successful exploitation allows an attacker to inject malicious scripts, including redirects, advertisements, and other HTML payloads, which execute when any visitor accesses the affected page. This can lead to defacement, data theft, or further compromise of the site and its users [1].

As an immediate mitigation, users should update the plugin to a patched version. If updating is not possible, it is recommended to contact a hosting provider or web developer for assistance. The vulnerability is listed in the Patchstack database and is considered a medium-severity issue with a CVSS score of 5.9 [1].