CVE-2025-48251: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability was discovered in WPFactory Additional Custom Emails & Recipients for WooCommerce plugin affecting versions through 3.5.1. The vulnerability was disclosed on May 19, 2025 (NVD, Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') with a CVSS v3.1 base score of 6.5 (Medium). The attack vector is Network-based (AV:N), with Low attack complexity (AC:L), requiring Low privileges (PR:L) and User interaction (UI:R). The scope is Changed (S:C) with Low impact on Confidentiality, Integrity, and Availability (NVD).

This vulnerability allows attackers to inject malicious scripts that will be executed when users visit the affected site. The stored XSS nature of the vulnerability means that the malicious payload persists in the database and executes whenever a user accesses the infected page, potentially leading to session hijacking, defacement, or theft of sensitive information (Patchstack).

Users are advised to update to version 3.5.2 or later which contains the fix for this vulnerability. The issue has been assigned a low patch priority, suggesting that while updating is recommended, the risk of immediate exploitation is considered low (Patchstack).