CVE-2025-27346: 
WordPress vulnerability analysis and mitigation

The Rebuild Permalinks WordPress plugin contains a Reflected Cross-Site Scripting (XSS) vulnerability affecting versions up to and including 1.6. The vulnerability was discovered by researcher 0xd4rk5id3 and was publicly disclosed on February 21, 2025. This security issue has been assigned CVE-2025-27346 and received a CVSS score of 7.1 (Medium severity) (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') issue. It allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform certain actions, such as clicking on a malicious link. The vulnerability stems from insufficient input sanitization and output escaping in the plugin's functionality (CVE Mitre, Patchstack).

The vulnerability allows malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into affected websites. These injected scripts will be executed when visitors access the compromised site, potentially leading to various forms of client-side attacks (Patchstack).

Currently, there is no official fix available from the plugin developer. However, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement the virtual patch immediately or consider alternative plugins (Patchstack).