CVE-2025-47554

Vulnerability

The CSS3 Compare Pricing Tables for WordPress plugin (plugin name: css3_web_pricing_tables_grids) versions up to and including 11.6 suffer from a reflected cross-site scripting (XSS) vulnerability. The root cause is improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary HTML or JavaScript into a response [1].

Exploitation

Exploitation does not require authentication, as any unauthenticated user can trigger the vulnerability by crafting a malicious URL. However, successful attack requires the targeted user (e.g., an administrator or visitor) to interact with the crafted link—for example, by clicking it or visiting a specially crafted page. This interaction prerequisite is reflected in the CVSS score, which assigns a value of 7.1 (High) [1].

Impact

If exploited, the attacker can inject malicious scripts that execute in the context of the victim's browser. This can lead to session hijacking, defacement, redirection to malicious sites, or the injection of advertisements and other HTML payloads. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns targeting thousands of WordPress installations [1].

Mitigation

The vulnerability has been addressed in version 11.7 of the plugin. Users are strongly advised to update to this version or later immediately. For those unable to update, Patchstack provides a virtual patching rule to block attacks until the update can be applied. No other workarounds have been published [1].