CVE-2025-49053: 
WordPress vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability has been identified in kadesthemes WP Airdrop Manager plugin versions through 1.0.5. The vulnerability was discovered on August 13, 2025, and was assigned CVE-2025-49053. This security flaw affects WordPress installations using the WP Airdrop Manager plugin (NVD, Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (CWE-79) that allows for Stored XSS attacks. The CVSS v3.1 base score is 5.9 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires editor-level privileges to exploit (Patchstack).

This vulnerability could allow a malicious actor to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site (Patchstack).

As there is no official fix available, the recommended mitigation is to remove and replace the software with an alternative solution. Deactivating the software alone does not remove the security threat unless a virtual patch is deployed (Patchstack).