CVE-2025-46475: 
WordPress vulnerability analysis and mitigation

The vulnerability identified as CVE-2025-46475 is a Cross-site Scripting (XSS) vulnerability discovered in terrillthompson Able Player through version 1.2.1. This DOM-Based XSS vulnerability affects the WordPress plugin Able Player and was disclosed on April 24, 2025 (Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 Base Score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires contributor-level privileges or higher to exploit (NVD).

This vulnerability could allow a malicious actor with contributor-level access to inject malicious scripts into the website. When executed, these scripts could potentially lead to redirects, unauthorized advertisements, and other malicious HTML payloads that would affect visitors to the affected website (Patchstack).

The vulnerability has been patched in version 1.2.2 of the Able Player plugin. Users are advised to update to version 1.2.2 or later to remove the vulnerability. For additional protection, Patchstack users can enable auto-update functionality for vulnerable plugins (Patchstack).