CVE-2025-54747

Vulnerability

Overview CVE-2025-54747 describes a DOM-based Cross-Site Scripting (XSS) vulnerability in the Templatera plugin for WordPress, affecting versions from n/a through 2.3.0. The root cause is improper neutralization of user input during web page generation, which enables an attacker to inject malicious scripts into the application's DOM environment [1].

Exploitation

Prerequisites Exploitation requires a privileged user to perform an action such as clicking a malicious link or visiting a crafted page. The vulnerability is initiated by an authenticated user with necessary privileges, but successful script execution depends on the victim's interaction with the injected content [1].

Impact

A successful attack allows a malicious actor to inject arbitrary scripts, including redirects, advertisements, and other HTML payloads. These scripts execute in the context of the victim's browser when visiting the affected site, potentially leading to data theft, session hijacking, or defacement [1].

Mitigation

Users should update Templatera to version 2.4.0 or later to remediate the issue. The vendor has released this patched version, and Patchstack users can enable auto-update for vulnerable plugins. While the severity is rated medium (CVSS 6.5), the vulnerability may be used in mass-exploit campaigns affecting thousands of sites [1].