CVE-2025-3488: 
WordPress vulnerability analysis and mitigation

The WPML (WordPress Multilingual) plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-3488) discovered and disclosed on May 2, 2025. The vulnerability affects versions 3.6.0 through 4.7.3 of the plugin, specifically in the wpmllanguageswitcher shortcode functionality (NVD, Wiz).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue (CWE-79: Improper Neutralization of Input During Web Page Generation) due to insufficient input sanitization and output escaping on user-supplied attributes. It has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, and required privileges (NVD).

When successfully exploited, this vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the compromised page (NVD, Wiz).

WPML has released version 4.7.4 to address this security issue. Site administrators are strongly advised to update to the latest version as soon as possible (WPML Changelog).