CVE-2025-48152

Vulnerability

Overview

The Rentsyst plugin for WordPress contains a Reflected Cross-Site Scripting (XSS) vulnerability in versions up to and including 2.0.100. The issue stems from improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary HTML and JavaScript into the response [1].

Exploitation

Prerequisites

Exploitation requires a privileged user (e.g., admin) to perform an action, such as clicking a crafted link or visiting a specially crafted page. The attack is reflected, meaning the payload is delivered via a request and executed immediately in the victim's browser. This makes it suitable for mass-exploit campaigns targeting WordPress sites [1].

Impact

Successful exploitation can lead to execution of malicious scripts in the context of the vulnerable site. Attackers could use this to redirect visitors, display advertisements, or steal session cookies. The CVSS v3 score of 7.1 indicates a high severity, with the vulnerability being moderately dangerous and expected to become exploited [1].

Mitigation

Users are strongly advised to update the Rentsyst plugin to version 2.0.101 or later, which contains the fix. Patchstack also provides a mitigation rule to block attacks until the update is applied [1].