CVE-2025-46540: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the GNA Search Shortcode WordPress plugin, affecting versions up to and including 0.9.5. The vulnerability was discovered by researcher johska and was assigned CVE-2025-46540. The issue was reported on April 15, 2025, and publicly disclosed on April 24, 2025 (Patchstack).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue with a CVSS v3.1 score of 6.5 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability falls under the OWASP Top 10 category A3: Injection. The issue requires contributor-level privileges or higher to exploit (Patchstack).

If exploited, this vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected pages (Patchstack).

As of the disclosure date, no official fix is available for this vulnerability. Given the low severity impact and unlikely exploitation probability, virtual patching is deemed unnecessary (Patchstack).