CVE-2025-49266: 
WordPress vulnerability analysis and mitigation

CVE-2025-49266 is a Cross-Site Scripting (XSS) vulnerability discovered in the WordPress Ultimate Reviews plugin affecting versions through 3.2.14. The vulnerability was initially reported on April 18, 2025, and publicly disclosed on June 11, 2025. This security flaw specifically allows for Reflected XSS attacks in the Rustaurius Ultimate Reviews plugin (Patchstack, Wiz).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It has received a CVSS v3.1 Base Score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability requires no authentication to exploit and involves user interaction (NVD, Patchstack).

This vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site, potentially compromising user security and website integrity (Patchstack).

The vulnerability has been patched in version 3.2.15 of the Ultimate Reviews plugin. Users are advised to update to this version or later immediately. For those unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).