CVE-2025-46534

The Image Style Hover WordPress plugin (versions up to and including 1.0.6) contains a DOM-based Cross-Site Scripting (XSS) vulnerability. The issue arises from improper neutralization of user-controllable input during web page generation, enabling attackers to inject and execute arbitrary JavaScript in the context of an administrator's browser session [1].

Exploitation requires user interaction — an authenticated administrator must perform an action such as clicking a malicious link or visiting a crafted page. While initiated by a privileged user, the attacker does not need direct access to the admin panel; instead, they can exploit the flaw remotely by luring an admin to a specially crafted link [1].

Successful exploitation allows an attacker to inject malicious scripts that can redirect visitors, display unauthorized advertisements, or alter page content. These scripts execute when victims visit the affected site, potentially leading to credential theft or further compromise of the WordPress installation [1].

The vendor has been notified, and an update is recommended. Users are advised to upgrade to a patched version immediately. If upgrading is not possible, consulting a hosting provider or security specialist for mitigation is suggested [1].