CVE-2025-48365

Vulnerability

Details

CVE-2025-48365 describes a stored cross-site scripting (XSS) vulnerability in the WordPress plugin Custom Comment (versions 2.1.6 and earlier). The plugin fails to properly neutralize user-supplied input during web page generation, allowing attackers to inject arbitrary scripts that are saved on the server and later executed in the browsers of visitors [1]. This is a classic improper output encoding flaw in the comment handling logic.

Exploitation

An attacker with the required privileges (typically a contributor or higher) can submit a crafted comment containing malicious JavaScript [1]. The payload is stored in the database and rendered on the comment page without sanitization. No additional user interaction from the victim is required besides visiting the affected page — the script executes automatically when the page loads. The attacker does not need to trick an admin into clicking a link; the stored payload is the delivery mechanism.

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's session. Common payloads include redirects to malicious sites, injection of unwanted advertisements, data theft via session hijacking, or defacement of the website [1]. Because the XSS is stored, every visitor to the affected page is at risk until the malicious content is removed.

Mitigation

The vulnerability is confirmed up to version 2.1.6. The recommended action is to update the plugin to a patched version if available. If updating is not possible, site administrators should disable or remove the plugin [1]. Hosting providers may assist in hardening or temporarily blocking the vulnerable functionality.