CVE-2025-47604

Vulnerability

Overview The Inline Related Posts plugin for WordPress (versions through 3.8.0) suffers from a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw enables attackers with the required privileges to inject arbitrary HTML and JavaScript into the application, which is then stored and served to other users when they visit the affected page.

Exploitation

Conditions Exploitation requires a privileged user role that can supply input processed by the plugin, though successful execution of the injected script also depends on an authenticated user (such as an administrator) performing an action like clicking a crafted link or visiting a prepared page [1]. The vulnerability is classified as Stored XSS, meaning the malicious payload persists in the database and is displayed to subsequent visitors without the need for direct user interaction at the point of delivery.

Impact

If exploited, an attacker can inject malicious scripts that execute in the browsers of site visitors or administrators, potentially leading to unauthorized actions, redirection to malicious sites, display of unwanted advertisements, or theft of session cookies [1]. The CVSS v3.0 base score is 6.5 (Medium), reflecting the need for user interaction and elevated privileges for initial injection.

Mitigation

The vulnerability has been addressed in version 3.9.0 of the plugin. Users are strongly advised to update to this version or later. Automatic updates (via Patchstack or other management tools) can be enabled for vulnerable plugins [1]. There is no mention of a workaround for unpatched versions, so updating is the recommended course of action.