CVE-2025-43841: 
WordPress vulnerability analysis and mitigation

The vulnerability (CVE-2025-43841) is a Stored Cross-Site Scripting (XSS) vulnerability affecting the WP Vegas WordPress plugin versions up to and including 2.2. The vulnerability was discovered and reported by researcher johska on April 18, 2025, and was publicly disclosed on April 25, 2025 (Patchstack).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue, specifically of the stored variety, which falls under the OWASP Top 10 category A3: Injection. It has received a CVSS v3.1 score of 6.5 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires Contributor-level privileges or higher to exploit (Patchstack).

This vulnerability could allow a malicious actor with Contributor-level access to inject malicious scripts into the website. When executed, these scripts could potentially lead to unauthorized redirects, malicious advertisement insertions, and other HTML payload executions when visitors access the affected site (Patchstack).

As of April 30, 2025, no official fix has been released for this vulnerability. The issue affects all versions up to and including 2.2 of the WP Vegas plugin (Patchstack).