CVE-2025-47618

Vulnerability

The BMI Adult & Kid Calculator plugin for WordPress versions up to 1.2.2 suffers from a reflected cross-site scripting (XSS) vulnerability. The plugin fails to properly neutralize user input during web page generation, allowing an attacker to inject arbitrary HTML and JavaScript code [1].

Exploitation

Exploitation requires user interaction, such as clicking a crafted link. The attacker does not need authentication, but the targeted user must be logged in as a privileged user (e.g., admin) to trigger the vulnerable functionality. This aligns with the CVSS vector indicating network attack vector, low attack complexity, and required user interaction [1].

Impact

Successful exploitation allows an attacker to execute malicious scripts in the context of the victim's browser. This can lead to redirecting users to malicious sites, injecting advertisements, or performing other actions that compromise the integrity of the web page [1].

Mitigation

As immediate action, update the plugin to the latest version. If an update is not available, apply a mitigation rule provided by security solutions like Patchstack until an official patch can be tested and deployed [1].