CVE-2025-46487: 
WordPress vulnerability analysis and mitigation

The EC Authorize.net WordPress plugin versions 0.3.3 and below contains a Reflected Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-46487. This security flaw was discovered by researcher johska and publicly disclosed on May 2, 2025. The vulnerability allows for improper neutralization of input during web page generation, specifically affecting the sftranna EC Authorize.net plugin (Patchstack, Wiz).

The vulnerability has been assigned a CVSS v3.1 score of 7.1 (High), with the following vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability type is classified as Cross-Site Scripting (XSS) and falls under the OWASP Top 10 category A3: Injection. The vulnerability can be exploited by unauthenticated users, making it particularly concerning (Patchstack).

This vulnerability could allow malicious actors to inject harmful scripts, including redirects, advertisements, and other HTML payloads into affected websites. These injected scripts would be executed when visitors access the compromised sites, potentially leading to various forms of user manipulation or data theft (Wiz).

While no official patch is currently available, Patchstack has issued a virtual patch to mitigate this vulnerability by blocking potential attacks. Website administrators are advised to implement these mitigations immediately to protect their sites until an official fix becomes available (Wiz).