CVE-2025-48102

Vulnerability

Overview

The GoUrl Bitcoin Payment Gateway & Paid Downloads & Membership plugin for WordPress, up to version 1.6.6, contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation. This issue is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and allows an attacker with sufficient privileges to store malicious scripts that will execute when other users visit affected pages [1].

Attack

Vector

Exploitation requires a privileged user role that can interact with input fields processed by the plugin. The attacker must inject a crafted payload, which is then stored in the database and later served to visitors without proper sanitization. User interaction is required, meaning a victim (such as an administrator or site visitor) must perform an action like clicking a link or viewing the malicious page [1]. No network-level access or authentication bypass is needed; the attacker simply needs the ability to submit content through the plugin's vulnerable forms.

Impact

Successful exploitation enables the attacker to inject arbitrary HTML and JavaScript into the affected WordPress site. This can be used to redirect visitors to malicious sites, display unwanted advertisements, steal cookies or session tokens, or perform other actions in the context of the victim's browser session. The vulnerability has a CVSS v3 base score of 5.9 (Medium), indicating moderate severity with potential for data integrity and confidentiality impact [1].

Mitigation

Patches are not yet confirmed; the plugin author is advised to release an update. As immediate protection, users should update the plugin to version 1.6.7 or later once it becomes available. If immediate updating is not possible, WordPress site administrators can implement a web application firewall (WAF) rule to block XSS payloads or temporarily disable the plugin until a fix is applied [1].