CVE-2025-49038: 
WordPress vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in Soflyy WP Dynamic Links plugin versions through 1.0.1. The vulnerability was discovered by Nguyen Xuan Chien and was publicly disclosed on August 14, 2025. This security flaw affects WordPress installations using the WP Dynamic Links plugin (NVD, Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) issue. It has received a CVSS v3.1 base score of 7.1 (High), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability can be exploited remotely and requires user interaction, with no authentication needed (Patchstack).

If exploited, this vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the affected website. These injected scripts would be executed when visitors access the compromised site (Patchstack).

No official fix is currently available for this vulnerability. Users are advised to either remove and replace the software or implement virtual patching through security solutions. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until an official fix becomes available (Patchstack).