CVE-2025-46440: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the WordPress kStats Reloaded plugin, affecting versions up to 0.7.4. The vulnerability, tracked as CVE-2025-46440, was discovered by researcher Nguyen Xuan Chien and publicly disclosed on May 2, 2025. This security flaw involves improper neutralization of input during web page generation (Patchstack, Wiz).

The vulnerability has been assigned a CVSS v3.1 score of 7.1 (High severity), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. This XSS vulnerability can be exploited without authentication and falls under the OWASP Top 10 category A3: Injection. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (Patchstack).

When exploited, this vulnerability allows malicious actors to inject malicious scripts into the affected website. These injected scripts can be used to create redirects, insert unwanted advertisements, and execute other HTML payloads. The scripts are triggered when visitors access the compromised website (Wiz, Patchstack).

While no official fix is currently available, Patchstack has issued a virtual patch to mitigate this vulnerability by blocking potential attacks. Website administrators are strongly advised to implement these mitigations immediately to protect their sites. The virtual patching solution provides temporary protection until an official fix becomes available (Wiz, Patchstack).