CVE-2025-53464: 
WordPress vulnerability analysis and mitigation

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in the WP Mailto Links WordPress plugin, tracked as CVE-2025-53464. The vulnerability affects versions through 3.1.4 of the plugin and was discovered by researcher Bao - BlueRock. The issue was publicly disclosed on September 22, 2025 (Patchstack).

The vulnerability is classified as an Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) issue. It has received a CVSS v3.1 score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. The vulnerability is identified as CWE-79 (NVD).

If exploited, this vulnerability could allow an attacker to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site (Patchstack).

As there is no official fix available, the recommended mitigation strategy is to remove and replace the software with an alternative solution. Deactivating the software alone does not remove the security threat unless a virtual patch is deployed (Patchstack).