CVE-2025-49318

Vulnerability

The WPtouch WordPress plugin (versions from n/a through ≤4.3.60) suffers from a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. The vulnerability, classified as Improper Neutralization of Input During Web Page Generation, exists in the plugin's administration panel or customizer where inputs are not sanitized before being stored and later rendered. Affected versions include all releases up to and including 4.3.60; the plugin changelog indicates that a security fix was applied in version 4.3.61 [1].

Exploitation

An attacker requires a WordPress account with sufficient privileges to access the WPtouch settings pages (e.g., administrator or customizer roles). The attacker can inject malicious JavaScript or HTML into input fields that are not properly sanitized. The injected payload is stored in the WordPress database and subsequently displayed to other users (including other administrators) when they visit the affected admin pages. Exploitation depends on the attacker having write access to the vulnerable plugin’s configuration inputs.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of an authenticated administrator's browser session. This can lead to privilege escalation, creation of rogue admin accounts, theft of session cookies, or defacement of the site. The impact is limited to the administrative interface, but an administrator compromised through XSS can then fully control the WordPress site.

Mitigation

The vulnerability is fixed in WPtouch version 4.3.61, released on May 17th, 2025, and later versions [1]. All users are strongly advised to update to at least version 4.3.61 immediately. For versions prior to 4.3.60, no other workarounds have been disclosed; the only effective mitigation is applying the patch. No known exploitation in the wild has been reported as of the publication date.