CVE-2025-47487

Vulnerability

Overview The MC Woocommerce Wishlist plugin (smart-wishlist-for-more-convert) for WordPress versions from n/a through 1.9.1 contains a Reflected Cross-Site Scripting (XSS) vulnerability. The root cause is improper neutralization of user-supplied input during web page generation, enabling an attacker to inject arbitrary HTML or JavaScript into the response page. [1]

Exploitation

Conditions Exploitation requires user interaction; a victim must click a crafted link, visit a maliciously prepared page, or submit a specially designed form. No authentication is needed to trigger the flaw, but the victim must perform an action that causes the injected script to execute. Attackers can leverage this to target thousands of sites in mass campaigns, regardless of site popularity or traffic size. [1]

Impact

Successful exploitation allows an attacker to inject malicious scripts into the vulnerable site. This can lead to redirects, unauthorized ad insertion, defacement, or theft of sensitive information such as session cookies, all executed when legitimate visitors access the affected page. The CVSS v3 base score is 7.1 (High), reflecting moderate severity and the potential for widespread abuse. [1]

Mitigation

The vulnerability has been patched in version 1.9.2 of the plugin. Users are strongly advised to update to this version immediately. If an immediate update is not possible, a mitigation rule is available via Patchstack to block attacks until the plugin can be patched. Given the risk of mass exploitation, swift action is recommended. [1]