CVE-2025-48322: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in Finn Dohrn's Statify Widget plugin affecting versions through 1.4.6. The vulnerability was discovered and reported by theviper17, and was assigned CVE-2025-48322 on August 28, 2025 (Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) with a CVSS v3.1 base score of 6.5 (Medium). The attack vector is Network-based (AV:N), with Low attack complexity (AC:L), requiring Low privileges (PR:L) and User interaction (UI:R). The scope is Changed (S:C) with Low impact on Confidentiality, Integrity, and Availability (AttackerKB).

The vulnerability allows attackers to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts will be executed when visitors access the affected site (Patchstack).

Currently, no official patch has been released to address this vulnerability. Given the low severity impact and the requirement for authenticated access, the vulnerability is considered unlikely to be exploited (Patchstack).