CVE-2025-48103

The WordPress Today's Date Inserter plugin version 1.2.1 and earlier suffers from a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This vulnerability affects the todays-date-inserter plugin and can be exploited by any authenticated user with the appropriate role, as per the plugin's permission model [1].

To exploit this flaw, an attacker must first authenticate to the WordPress admin panel with sufficient privileges (typically contributor or higher) and then inject a malicious script payload into a field that is later rendered on a page viewed by other users [1]. No direct user interaction is required from the victim beyond visiting the affected page, but the attacker does need to be logged in to insert the payload [1].

Successful exploitation allows the attacker to embed arbitrary JavaScript code that executes in the context of any visitor's browser. This can lead to redirection to malicious sites, display of unwanted ads, theft of session cookies, or defacement of the site [1]. The attack can be used in mass-exploit campaigns targeting thousands of WordPress installations simultaneously [1].

Mitigation

The vendor has not released a patched version as of the publication date, and the plugin version 1.2.1 is the last affected release [1]. Users are strongly advised to remove or disable the plugin until an update is available, or to apply any workarounds recommended by the plugin's developer. As immediate action, update the affected plugin or remove it entirely [1]. If removal is not possible, consult your hosting provider for assistance [1].