CVE-2025-47615: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the Amazon Product in a Post WordPress plugin, affecting versions through 5.2.2. The vulnerability was discovered by Nabil Irawan and disclosed on May 7, 2025, receiving the identifier CVE-2025-47615. This security issue impacts the flowdee Amazon Product in a Post plugin, which appears to be abandoned as it hasn't received updates in over a year (Wiz, NVD).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 base score of 5.9 (Medium). The attack vector is Network-based (AV:N), with Low attack complexity (AC:L), requiring High privileges (PR:H) and User interaction (UI:R). The scope is Changed (S:C), with Low impact on Confidentiality, Integrity, and Availability (C:L/I:L/A:L) (NVD, Wiz).

The vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site. The impact is considered low severity but could affect website integrity and user experience (Patchstack).

No official fix is available as the software appears to be abandoned. The recommended mitigation is to remove and replace the plugin with an alternative solution. Deactivating the software alone does not remove the security threat unless a virtual patch (vPatch) is deployed (Patchstack).