CVE-2025-49057: 
WordPress vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability has been identified in Ko Min WP Voting plugin through version 1.8. The vulnerability was discovered on August 6, 2025, and publicly disclosed on August 14, 2025. This security flaw allows for Reflected XSS attacks in the WordPress plugin WP Voting (Patchstack).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 base score of 7.1 (High). The attack vector is characterized as network-accessible (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R). The scope is changed (S:C), with low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L) (NVD, Patchstack).

The vulnerability could allow malicious actors to inject malicious scripts, including redirects and unwanted advertisements, as well as other HTML payloads into the affected website. These injected scripts would be executed when visitors access the compromised site (Patchstack).

Currently, no official fix is available for this vulnerability. The software is considered potentially abandoned as it hasn't been updated for over a year. Users are strongly advised to either implement virtual patching through Patchstack's protection system or consider removing and replacing the plugin with a secure alternative (Patchstack).