CVE-2025-48241: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in Soft8Soft LLC's Verge3D plugin, tracked as CVE-2025-48241. The vulnerability affects versions through 4.9.3 of the Verge3D plugin and was disclosed on May 23, 2025. This security flaw allows for improper neutralization of input during web page generation (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (High), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The attack vector is network-based, requires low attack complexity, needs no privileges, but does require user interaction. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

The vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website, which would be executed when guests visit the site. This could lead to compromised data confidentiality, integrity, and availability, albeit at a low level for each impact category (Patchstack).

Users are advised to update to Verge3D version 4.9.4 or later, which contains the fix for this vulnerability. For temporary mitigation, Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until users can update to a fixed version (Patchstack).