CVE-2025-60160

Vulnerability

Overview

The Smart Related Products plugin for WordPress (versions up to 2.0.8) contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw allows an attacker to inject arbitrary HTML and JavaScript code that is stored on the server and executed when other users view the affected pages.

Exploitation

Requirements

Exploitation requires a privileged user—such as an administrator—to perform an action like clicking a malicious link or submitting a crafted form [1]. The attacker does not need direct access to the site but must convince a higher-privileged user to interact with a specially crafted payload. Once triggered, the injected script persists in the plugin's output.

Impact

A successful attack enables the attacker to execute arbitrary scripts in the context of the victim's browser. This can be used to redirect visitors to malicious sites, display unwanted advertisements, steal session cookies, or perform other actions that compromise the integrity and confidentiality of the site [1]. The vulnerability is noted as being used in mass-exploit campaigns targeting thousands of websites.

Mitigation

Users are strongly advised to update the plugin to the latest patched version immediately. If an update is not available, temporary measures such as disabling the plugin or implementing a web application firewall may reduce risk [1].