CVE-2025-1486: 
WordPress vulnerability analysis and mitigation

The WoWPth WordPress plugin through version 2.0 contains a Reflected Cross-Site Scripting vulnerability identified as CVE-2025-1486. The vulnerability was discovered by Hassan Khan Yusufzai (Splint3r7) and publicly disclosed on February 20, 2025. The issue affects all versions of the plugin up to and including version 2.0 (WPScan).

The vulnerability exists because the plugin fails to properly sanitize and escape a parameter before outputting it back in the page. This security flaw has been assigned a CVSS v3.1 base score of 7.1 (HIGH) and is classified under CWE-79 (Cross-Site Scripting). The vulnerability can be exploited through the createTheme.php file by manipulating the themeName parameter (WPScan).

The vulnerability allows attackers to execute arbitrary JavaScript code in the context of high-privilege users' browsers, such as administrators. This could potentially lead to account compromise, data theft, or unauthorized administrative actions when an administrator visits a specially crafted URL (WPScan).

Currently, there is no known fix available for this vulnerability. Website administrators running the affected plugin should consider either removing it or implementing additional security controls to protect against XSS attacks (WPScan).