CVE-2025-49905

The vulnerability is a reflected Cross-Site Scripting (XSS) issue in the Range Slider Addon for Gravity Forms WordPress plugin, affecting versions up to and including 1.1.6 [1]. The root cause is improper neutralization of user-supplied input during web page generation, which allows an attacker to inject arbitrary HTML and JavaScript into the page [1].

Exploitation requires user interaction, such as clicking a malicious link or visiting a crafted page [1]. This can be initiated by any unauthenticated user, but successful execution depends on a privileged user (e.g., administrator) performing an action, such as clicking a specially crafted URL [1]. The attack vector is via the network, and no authentication is needed to deliver the payload, though user interaction is required for the payload to execute.

A successful attack could allow an attacker to inject malicious scripts, such as redirects, advertisements, or other HTML payloads, which would execute when visitors access the affected site [1]. This could lead to data theft, defacement, or further compromise of the WordPress installation.

The vulnerability has been patched in version 1.1.7 of the plugin [1]. Users are strongly advised to update immediately. As an interim measure, Patchstack users can apply a mitigation rule to block attacks until the update is applied [1]. The vulnerability is considered moderately dangerous and is expected to be exploited in mass campaigns [1].