CVE-2025-52788: 
WordPress vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability was discovered in Russell Jamieson's CaptionPix WordPress plugin, affecting versions up to 1.8. The vulnerability was identified on July 23, 2025, and was assigned CVE-2025-52788. This security flaw allows for Reflected XSS attacks in the plugin's functionality (Patchstack, NVD).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue, specifically involving improper neutralization of input during web page generation. It has received a CVSS v3.1 score of 7.1 (High), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD, Patchstack).

The vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into affected websites. These injected scripts would be executed when visitors access the compromised sites. The impact is considered moderately dangerous and is expected to become actively exploited (Patchstack).

No official fix is currently available as the software appears to be abandoned. The last update was over a year ago, and it's unlikely to receive further updates. Users are strongly advised to remove and replace the plugin with an alternative solution. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until an official fix becomes available (Patchstack).