CVE-2025-60146

Vulnerability

CVE-2025-60146 describes a Stored Cross-Site Scripting (XSS) vulnerability in the Map Categories to Pages WordPress plugin by Amit Verma, affecting all versions up to and including 1.3.2. The plugin fails to properly neutralize user input during web page generation, enabling an authenticated attacker with sufficient privileges to inject arbitrary JavaScript code into saved content. This injected script will then be executed by any visitor loading the affected page [1].

Exploitation

To exploit this vulnerability, an attacker must have a privileged account on the WordPress site (e.g., a role with post-editing capabilities) and user interaction is required for initial delivery – such as clicking a crafted link or submitting a malicious form. The attack can be carried out remotely over the network, and no special configuration beyond the default plugin setup is needed. The CVSS v3 base score of 5.9 reflects this medium severity, driven by the need for privileges and user interaction [1].

Impact

Successful exploitation allows the attacker to inject arbitrary HTML and JavaScript payloads. These scripts can perform actions such as redirecting visitors to malicious sites, displaying unwanted advertisements, stealing session cookies, or defacing the website. Because the injected script is stored and executed on each page load, the attack can affect many users over time. Given that such XSS vulnerabilities are frequently used in mass-exploit campaigns, the risk to site owners — regardless of site popularity — is significant [1].

Mitigation

The vendor has not yet released a patched version; the only effective mitigation is to disable or remove the plugin until an update is available. As an immediate action, users should update the plugin if a fix becomes available or consult with a hosting provider or web developer. There is no workaround that fully addresses the stored XSS nature of the bug [1].