CVE-2025-47458

The B2i Investor Tools plugin for WordPress (versions up to and including 1.0.7.9) contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables an attacker to inject arbitrary HTML and JavaScript into a response, which is then executed in the context of the victim's browser.

Exploitation requires user interaction: an attacker must trick a privileged user (such as an administrator) into clicking a specially crafted link or visiting a maliciously prepared page [1]. No authentication is needed for the attacker, but the victim must be logged into the WordPress site for the injected script to execute with their privileges.

Successful exploitation allows the attacker to perform actions such as redirecting visitors to malicious sites, displaying unwanted advertisements, stealing session cookies, or defacing the website [1]. The CVSS v3 base score of 7.1 (High) reflects the potential for significant impact, though the requirement for user interaction reduces the likelihood of automated exploitation.

To mitigate this vulnerability, users should update the B2i Investor Tools plugin to version 1.0.8 or later, which contains the fix [1]. For those unable to update immediately, Patchstack offers a mitigation rule that blocks attacks until the patch is applied [1].