CVE-2025-48241

Vulnerability

Overview

CVE-2025-48241 is a reflected cross-site scripting (XSS) vulnerability in the Soft8Soft Verge3D plugin for WordPress. The flaw stems from improper neutralization of user-supplied input during web page generation, affecting all versions up to and including 4.9.3 [1]. This allows an attacker to inject arbitrary HTML or JavaScript into a response that is reflected back to the user's browser.

Exploitation

Requirements

Exploitation requires user interaction — the victim must click a malicious link or visit a specially crafted URL. No authentication is needed to deliver the payload, but the attacker must convince a user (such as a site administrator or visitor) to perform the action [1]. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns targeting thousands of WordPress sites regardless of their popularity or traffic.

Impact

If exploited, an attacker can execute arbitrary scripts in the context of the victim's browser session. This could lead to redirects to malicious sites, injection of advertisements, theft of session cookies, or other client-side attacks that compromise the confidentiality and integrity of the affected site and its users [1].

Mitigation

The vulnerability has been fixed in Verge3D version 4.9.4. Users are strongly advised to update immediately. For those unable to update, Patchstack offers a mitigation rule to block exploitation attempts. Auto-update can be enabled for Patchstack users [1].