CVE-2025-48235: 
WordPress vulnerability analysis and mitigation

A DOM-Based Cross-site Scripting (XSS) vulnerability was discovered in the WP Image Mask WordPress plugin, developed by Bogdan Bendziukov. The vulnerability affects all versions of WP Image Mask up to and including version 3.1.2. This security issue was disclosed on May 19, 2025 (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium severity) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires low privileges and user interaction to exploit, with the attack vector being network-accessible. The scope is changed, and the impact affects confidentiality, integrity, and availability at a low level (NVD).

If successfully exploited, this vulnerability could allow an attacker to inject malicious scripts that would be executed when users visit the affected website. This could lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the victim's browser (Patchstack).

The vulnerability has been fixed in version 3.1.3 of the WP Image Mask plugin. Users are strongly recommended to update to this version or later to protect against this security issue. No other workarounds are currently available (Patchstack).