CVE-2025-46504: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the WordPress Vasaio QR Code plugin, affecting versions up to 1.2.5. The vulnerability was reported on April 4, 2025, and publicly disclosed on April 24, 2025. This security issue allows for Stored Cross-Site Scripting (XSS) attacks through CSRF exploitation (Patchstack).

The vulnerability has been assigned CVE-2025-46504 and is classified under CWE-352 (Cross-Site Request Forgery). It received a CVSS v3.1 Base Score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability can be exploited without authentication, indicating a significant security risk (NVD, Patchstack).

The vulnerability could allow malicious actors to force higher privileged users to execute unwanted actions under their current authentication. Additionally, the combination of CSRF with Stored XSS capabilities increases the potential impact on affected systems (Patchstack).

As of the disclosure date, no official fix is available for this vulnerability. Patchstack has classified this as a low-priority issue and indicates that virtual patching is unnecessary (Patchstack).