CVE-2025-46537

CVE-2025-46537 is a reflected cross-site scripting (XSS) vulnerability in the Section Widget (section-widget) plugin for WordPress, affecting versions from n/a through 3.3.1. The root cause is improper neutralization of user-supplied input during web page generation, which enables an attacker to inject arbitrary HTML and JavaScript. [1]

Exploitation requires user interaction: an attacker must trick a privileged user (such as an administrator) into clicking a crafted link or visiting a specially prepared page that submits malicious input. No direct authentication is needed for the initial injection, but the victim must perform an action such as clicking a link or submitting a form. [1]

Successful exploitation allows the attacker to execute arbitrary scripts in the context of the vulnerable site. This can be used to redirect visitors, display advertisements, steal session cookies, or otherwise deface the website. The vulnerability is considered moderately dangerous and is expected to be incorporated into mass-exploit campaigns targeting thousands of WordPress sites. [1]

As of the publication date, no official patch had been released for the latest affected version. However, Patchstack has issued a mitigation rule to block attacks until an official update becomes available. Users are advised to either update the plugin to a safe version when released, or apply the mitigation rule. [1]