CVE-2025-47507

The Better Search plugin for WordPress (versions up to and including 4.1.0) contains a DOM-Based Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw allows an attacker to inject arbitrary JavaScript code that executes in the browser of a victim visiting the affected site.

Exploitation requires a privileged user (such as an administrator) to perform an action like clicking a malicious link, visiting a crafted page, or submitting a specially crafted form [1]. The DOM-based nature of the vulnerability means the payload is processed client-side after the page loads, bypassing server-side filters.

Successful exploitation enables an attacker to execute malicious scripts in the context of the victim's browser, potentially leading to redirects, injection of advertisements, or other HTML payloads that affect site visitors [1]. This type of vulnerability is frequently used in mass-exploit campaigns targeting thousands of websites regardless of their size or popularity.

The vulnerability has been addressed in version 4.1.1 of the plugin [1]. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. If updating is not possible, consulting a hosting provider or web developer is recommended [1].