CVE-2025-48305

The Goal Tracker for Patreon plugin for WordPress (versions up to and including 0.4.6) contains a stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user input during page generation. This allows an attacker to inject arbitrary web scripts that are stored on the server and executed when other users visit the affected page.

Exploitation of this vulnerability requires a user with at least contributor-level privileges to craft a malicious payload. However, this vulnerability is known to be used in mass-exploit campaigns, targeting thousands of websites regardless of size. User interaction is required from a privileged user to trigger the execution, such as clicking a link or submitting a form [1].

Successful exploitation enables an attacker to execute malicious scripts in the context of a victim's browser. This can lead to redirects, advertisements, and other HTML payloads being displayed to site visitors, potentially compromising the site's integrity and user trust [1].

The vendor has released a fix; users are strongly advised to update the plugin to version 0.4.7 or later. If immediate updating is not possible, a web developer or hosting provider should be consulted for mitigation [1].