CVE-2025-49412

Vulnerability

Overview

The WordPress Page Transition plugin (versions <= 1.3) contains a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of input during web page generation [1]. This flaw enables authenticated attackers, such as authors or editors, to inject malicious scripts that are permanently stored on the server and executed when any user visits the affected page [1].

Exploitation

Prerequisites

Exploitation requires a user with the appropriate role (e.g., administrator or editor) to perform an action such as clicking a crafted link or submitting a specially prepared form [1]. The attack does not rely on high traffic or site popularity, making it suitable for mass campaigns targeting thousands of WordPress installations [1].

Impact

If successfully exploited, an attacker can inject arbitrary HTML or JavaScript payloads, including redirects, advertisements, or other malicious content [1]. These scripts execute in the browsers of visitors, potentially leading to data theft, phishing, or further compromise of the site [1].

Mitigation

The vendor has not released a fix for this vulnerability; the plugin appears to be abandoned or end-of-life [1]. Users are strongly advised to remove or replace the plugin immediately. As an interim measure, consult a hosting provider or web developer for guidance [1].