CVE-2025-48304: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the Gary Illyes Google XML News Sitemap WordPress plugin, which also allows for Stored Cross-Site Scripting (XSS) attacks. The vulnerability affects all versions of the plugin through version 0.02. This security issue was initially reported by Nguyen Xuan Chien on August 12, 2025, and was publicly disclosed on August 25, 2025 (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (High), with the following vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The attack vector is network-based, requires low attack complexity, needs no privileges, but does require user interaction. The vulnerability has been classified under CWE-352 (Cross-Site Request Forgery) (NVD, Patchstack).

The vulnerability could allow malicious actors to force higher privileged users to execute unwanted actions under their current authentication, potentially leading to stored cross-site scripting attacks. The software is considered abandoned, as it hasn't been updated for over a year, increasing the security risk for users (Patchstack).

No official fix is available for this vulnerability as the software is abandoned. The recommended solution is to remove and replace the plugin with an alternative solution. Users should note that simply deactivating the software does not remove the security threat unless a virtual patch is deployed (Patchstack).