CVE-2025-47497

The Logo Showcase plugin for WordPress versions 3.0.4 and earlier contains a DOM-Based Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables an attacker to inject arbitrary JavaScript into the DOM of a victim's browser when a vulnerable page is rendered.

Exploitation requires a privileged user (e.g., an administrator) to perform an action such as clicking a malicious link, visiting a crafted page, or submitting a specially crafted form [1]. The attack does not require direct network access to the server but relies on social engineering to trigger the payload within the victim's session.

Successful exploitation allows an attacker to execute malicious scripts in the context of the logged-in user's browser, potentially leading to session hijacking, defacement, redirection to malicious sites, or injection of advertisements and other HTML payloads [1]. The CVSS v3 base score of 6.5 reflects the medium severity and the need for user interaction.

The vulnerability has been addressed in version 3.0.5 of the plugin. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins to mitigate the risk [1].