CVE-2025-49031

The SMu Manual DoFollow plugin for WordPress (versions up to and including 1.8.1) contains a reflected cross-site scripting vulnerability due to improper neutralization of input during web page generation [1]. This flaw, categorized as CWE-79, allows an attacker to inject arbitrary HTML and JavaScript into a page, which is then reflected back to the victim's browser.

Exploitation requires user interaction, such as clicking a crafted link or visiting a specially prepared page [1]. An attacker does not need prior authentication to deliver the malicious payload, but the victim must be a privileged user (e.g., an administrator) for the attack to succeed in the context described. This type of vulnerability is frequently used in mass-exploit campaigns targeting WordPress sites regardless of size or popularity [1].

Successful exploitation enables an attacker to execute arbitrary scripts in the context of the victim's browser session, potentially allowing actions such as session hijacking, defacement, redirection to malicious sites, or injection of advertisements and other HTML payloads visible to site visitors [1].

As of the publication date, the vendor has not released a patched version beyond 1.8.1. The Patchstack advisory recommends updating the plugin immediately when a fix becomes available; in the interim, a mitigation rule is available from Patchstack to block attacks [1]. Users unable to update should consult their hosting provider for assistance.