CVE-2025-54727

The CM On Demand Search And Replace plugin for WordPress, versions 1.5.2 and earlier, contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation. This allows an attacker to inject arbitrary scripts into plugin pages that are later executed when other users access the affected content [1].

The vulnerability does not require authentication to be initiated, but successful exploitation requires a privileged user (such as a site administrator) to trigger the malicious payload, for example by clicking a malicious link or visiting a crafted page. This makes it a Stored XSS issue where the injected script persists in the application [1].

If exploited, an attacker can inject malicious scripts — such as redirects, advertisements, or other HTML payloads — into the website. These scripts execute in the context of a visitor's browser, potentially leading to data theft, session hijacking, or defacement. The CVSS v3 base score is 5.9 (Medium) [1].

The vulnerability has been fixed in version 1.5.3. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. No workaround is provided, so updating is the only reliable mitigation [1].