CVE-2025-48104: 
WordPress vulnerability analysis and mitigation

Cross-Site Request Forgery (CSRF) vulnerability was discovered in ericzane Floating Window Music Player WordPress plugin, affecting versions through 3.4.2. The vulnerability was disclosed on September 2, 2025, and was assigned CVE-2025-48104. This security issue allows for Stored Cross-Site Scripting (XSS) attacks through CSRF (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The attack vector is network-based, requires low attack complexity, needs no privileges, but does require user interaction. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) (NVD).

The vulnerability could allow malicious actors to force higher privileged users to execute unwanted actions under their current authentication, potentially leading to stored cross-site scripting attacks. The impact affects confidentiality, integrity, and availability, all rated as Low according to the CVSS metrics (Patchstack).

As no official fix is available and the software is considered abandoned, the recommended mitigation is to remove and replace the Floating Window Music Player plugin with an alternative solution. Note that merely deactivating the software does not remove the security threat unless a virtual patch is deployed (Patchstack).