CVE-2025-48143

Vulnerability

Overview

The WordPress plugin Formulario de contacto SalesUp! (formularios-de-contacto-salesup) versions up to and including 1.0.14 contain a reflected cross-site scripting (XSS) vulnerability. The root cause is improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary HTML and JavaScript code that is reflected back to the user in the server's response [1].

Exploitation

Conditions

This is a reflected XSS issue, meaning the attacker must trick a privileged user (such as an administrator) into clicking a crafted link, visiting a maliciously constructed page, or submitting a specially prepared form. The vulnerability is rated with a CVSS v3 base score of 7.1 (High) and is expected to be exploited in mass campaigns targeting thousands of WordPress sites regardless of popularity or traffic size [1].

Impact

Successful exploitation enables an attacker to execute malicious scripts in the context of the vulnerable site. This can be leveraged to perform actions such as redirecting visitors to malicious destinations, injecting unwanted advertisements, or stealing sensitive information like session cookies. The attacker's injected payload runs when any guest visits the affected page [1].

Mitigation

Status

As of the publication date, no official patch is yet available beyond the 1.0.14 version. The advisory strongly recommends updating the plugin immediately with the next security release. As a temporary workaround, Patchstack has issued a mitigation rule that blocks attacks before an official fix can be applied. If immediate update is not possible, users are advised to contact their hosting provider or a web developer for assistance [1].