CVE-2025-48238: 
WordPress vulnerability analysis and mitigation

Cross-Site Request Forgery (CSRF) vulnerability was discovered in awcode AWcode Toolkit plugin affecting versions through 1.0.18. The vulnerability was reported on May 19, 2025, and allows attackers to perform Stored Cross-Site Scripting (XSS) attacks (Patchstack, NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 7.1 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The attack vector is network-based (AV:N) with low attack complexity (AC:L), requires no privileges (PR:N), but does need user interaction (UI:R). The scope is changed (S:C) with low impact on confidentiality, integrity, and availability (Patchstack).

This vulnerability could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication, potentially leading to stored XSS attacks. The vulnerability affects confidentiality, integrity, and availability of the system, though all at low levels (Patchstack).

The vulnerability has been patched in version 1.0.19 of the AWcode Toolkit plugin. Users are advised to update to version 1.0.19 or later to remove the vulnerability. The security issue has been classified as having a low severity impact and is considered unlikely to be exploited (Patchstack).