CVE-2025-60186

Vulnerability

Overview

The Google+ Comments plugin for WordPress (versions up to and including 1.0) suffers from a Stored Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables an attacker to inject arbitrary HTML and JavaScript code that persists on the server and executes in the browsers of visitors.

Exploitation

Requirements

Exploitation requires a privileged user (e.g., an administrator) to perform an action such as clicking a crafted link or visiting a specially prepared page [1]. Once triggered, the injected script is stored and will execute automatically when other users access the affected site, making it a stored XSS attack.

Impact

A successful attack allows a malicious actor to inject malicious scripts, including redirects, advertisements, and other HTML payloads, into the website [1]. These scripts execute when guests visit the site, potentially leading to data theft, defacement, or further compromise of the WordPress installation.

Mitigation

The vendor has notifier recommends immediate action: update the plugin to a patched version if available [1]. If updating is not possible, site owners should contact their hosting provider or web developer for assistance [1]. This vulnerability is noted as being used in mass-exploit campaigns, underscoring the urgency of remediation.