CVE-2025-47477

Vulnerability

Type CVE-2025-47477 is a reflected cross-site scripting (XSS) vulnerability in the WordPress plugin Backup and Staging by WP Time Capsule (version ≤1.22.23). The flaw stems from improper neutralization of user input during web page generation, allowing an attacker to inject arbitrary HTML or JavaScript into a response [1].

Exploitation

Mechanism An attacker can trigger the vulnerability by crafting a malicious link containing the XSS payload. Successful exploitation requires a privileged user (e.g., an administrator) to click that link, visit a crafted page, or submit a specially designed form. No special network position is needed; the attack can be delivered via email, social media, or other channels [1].

Potential

Impact If exploited, the injected script executes in the context of the victim's browser, within the WordPress admin area. This could lead to session hijacking, defacement, redirection to malicious sites, or theft of sensitive data. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns targeting thousands of websites [1].

Mitigation

The vendor has released version 1.22.24 which fixes the vulnerability. Users are strongly advised to update immediately. If updating is not possible, implementing a virtual patch (such as the one provided by Patchstack) can block attacks until the plugin is updated [1].