CVE-2025-1487: 
WordPress vulnerability analysis and mitigation

The WoWPth WordPress plugin through version 2.0 contains a Reflected Cross-Site Scripting vulnerability, identified as CVE-2025-1487. The vulnerability was discovered by Hassan Khan Yusufzai (Splint3r7) and was publicly disclosed on February 20, 2025. The issue affects the plugin's parameter handling functionality, which fails to properly sanitize and escape user input before reflecting it back to the page (WPScan).

The vulnerability exists in the createAdvancedTheme.php file of the WoWPth plugin, where a parameter is directly output without proper sanitization or escaping. The vulnerability has been assigned a CVSS 3.1 base score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability is classified as CWE-79 and falls under the OWASP Top 10 category A7: Cross-Site Scripting (XSS) (WPScan, NVD).

The vulnerability could be exploited against high-privilege users such as administrators, potentially allowing attackers to execute arbitrary JavaScript code in the context of the victim's browser session. This could lead to unauthorized actions, data theft, or manipulation of the WordPress installation (WPScan).

Currently, there is no known fix available for this vulnerability. Users of the WoWPth plugin should consider either removing the plugin or implementing additional security controls until a patch is released (WPScan).