CVE-2025-49031: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in Stefan M. SMu Manual DoFollow WordPress plugin versions through 1.8.1. The vulnerability was disclosed on July 16, 2025, and assigned identifier CVE-2025-49031. This security flaw affects the WordPress plugin SMu Manual DoFollow and allows for improper neutralization of input during web page generation (Patchstack).

The vulnerability has been assigned a CVSS v3.1 Base Score of 7.1 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The security flaw is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability allows for Reflected XSS attacks against the application (Patchstack).

If exploited, this vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site (Patchstack).

No official fix is currently available for this vulnerability. The software is considered abandoned as it hasn't been updated for over a year. Users are advised to remove and replace the plugin with an alternative solution. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until an official fix becomes available (Patchstack).