CVE-2025-50046

Root

Cause CVE-2025-50046 is a stored Cross-Site Scripting (XSS) vulnerability in the WordPress plugin WPComplete (versions up to and including 2.9.5). The flaw stems from improper neutralization of user input during web page generation, allowing an attacker to store malicious scripts that later execute in the context of a visitor's browser [1].

Exploitation

Exploitation requires a privileged user (e.g., an editor or administrator) to trigger the stored payload, either by clicking a crafted link or submitting malicious form data. The attacker does not need direct access to the server but must entice a privileged user into performing an action [1]. Once stored, the script executes in the browsers of subsequent site visitors, including guests.

Impact

A successful attack enables the injection of arbitrary HTML and JavaScript, which can be used to redirect users, display advertisements, steal session cookies, or deface the site. This can lead to widespread impact if the site has many visitors, as the payload runs automatically without requiring user interaction from victims [1].

Mitigation

The vulnerability is patched in version 2.9.5.1. Users should update immediately. Auto-update is available for Patchstack users. The vendor rates the severity as medium (CVSS 6.5) and notes that while mass-exploitation campaigns are possible, immediate action is recommended [1].