CVE-2025-48102: 
WordPress vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability was discovered in the GoUrl Bitcoin Payment Gateway & Paid Downloads & Membership WordPress plugin, identified as CVE-2025-48102. The vulnerability affects versions through 1.6.6 of the plugin and was disclosed on September 5, 2025. This stored XSS vulnerability allows malicious actors with administrator privileges to inject malicious scripts into the web application (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Medium severity) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring high privileges (PR:H) and user interaction (UI:R). The scope is changed (S:C) with low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L) (NVD, Patchstack).

The vulnerability could allow attackers to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website, which would be executed when guests visit the site. The impact is considered low severity due to the requirement of administrator privileges and user interaction (Patchstack).

As there is no official fix available and the software is considered abandoned, the recommended mitigation is to remove and replace the plugin with an alternative solution. Deactivating the software alone does not remove the security threat unless a virtual patch is deployed (Patchstack).