CVE-2025-53987: 
WordPress vulnerability analysis and mitigation

A possible XSS vulnerability was discovered in Rails::HTML::Sanitizer version 1.6.0 when used with Rails >= 7.1.0. The vulnerability was disclosed on December 2, 2024, and affects the HTML sanitization functionality in Rails applications. The issue specifically occurs when HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags where the 'style' element is explicitly allowed and the 'svg' or 'math' element is not allowed (GitHub Advisory).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting). It received a CVSS 3.1 Base Score of 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. Under CVSS 4.0, it was assigned a score of 2.3 (LOW) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N (NVD).

The vulnerability could allow an attacker to inject malicious content through cross-site scripting when specific conditions are met in the sanitizer's configuration. The impact is considered moderate, with potential for limited confidentiality and integrity breaches (NVD).

The vulnerability has been fixed in Rails::HTML::Sanitizer version 1.6.1. Users are advised to update to this version to address the security issue. A patch has been made available through the official repository (GitHub Patch).