CVE-2025-46478: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in metaloha Dropdown Content plugin versions through 1.0.2. The vulnerability was discovered on April 9, 2025, and publicly disclosed on April 24, 2025. This security issue affects WordPress installations using the vulnerable versions of the Dropdown Content plugin (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It has received a CVSS v3.1 score of 7.1 (High), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires Contributor or higher level privileges to exploit (Patchstack).

If exploited, this vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site (Patchstack).

As of April 30, 2025, no official fix has been released for this vulnerability. Website administrators running affected versions of the Dropdown Content plugin should consider implementing additional security controls or removing the plugin until a patch becomes available (Patchstack).