CVE-2025-48314
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in salubrio Add Code To Head add-code-to-head allows Stored XSS.This issue affects Add Code To Head: from n/a through <= 1.17.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS vulnerability in WordPress Add Code To Head plugin allows attackers to inject malicious scripts via unsanitized input.
Vulnerability
CVE-2025-48314 is a Stored Cross-Site Scripting (XSS) vulnerability in the WordPress plugin Add Code To Head, affecting all versions up to and including 1.17. The issue arises from improper neutralization of input during web page generation, allowing attackers to inject arbitrary HTML and JavaScript code into the plugin's settings.
Exploitation
Exploitation requires a privileged user (e.g., administrator) to perform an action, such as clicking a malicious link or submitting a crafted form. Once the injected script is stored, it executes automatically when other users visit the affected page, making it a stored XSS attack.
Impact
An attacker can inject malicious scripts, including redirects, advertisements, or other payloads, which execute in the browsers of visitors. This can lead to session hijacking, defacement, or phishing attacks, potentially affecting thousands of websites if used in mass-exploit campaigns.
Mitigation
The vulnerability is fixed in version 1.23 of the plugin. Users are strongly advised to update immediately. If an update is not possible, consider disabling the plugin or seeking assistance from a web developer [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=1.17
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.