CVE-2025-48315

Vulnerability

The WordPress HTML plugin (custom-html-bodyhead) versions up to 0.51 suffer from a stored cross-site scripting (XSS) vulnerability due to improper neutralization of input during web page generation. This allows attackers to inject arbitrary HTML and JavaScript code that gets stored on the server and executed when users view the affected pages [1].

Exploitation

Exploitation requires the attacker to have at least contributor-level access to the WordPress site, as the input is likely provided through plugin settings or meta boxes. The attacker can inject malicious scripts via input fields that are not properly sanitized. User interaction is not required for the stored payload to execute; any visitor accessing the compromised page will trigger the script [1].

Impact

Successful exploitation enables an attacker to perform actions on behalf of visitors, such as redirecting users to malicious sites, displaying advertisements, stealing cookies or session tokens, and defacing the website. This vulnerability is known to be used in mass-exploit campaigns targeting thousands of websites regardless of size or popularity [1].

Mitigation

The vulnerability has been patched in version 0.51 and later. Users are strongly advised to update the plugin immediately. If updating is not possible, consider disabling the plugin or implementing a web application firewall (WAF) to filter malicious input [1].