CVE-2025-8046: 
WordPress vulnerability analysis and mitigation

The Injection Guard WordPress plugin before version 1.2.8 contains a Reflected Cross-Site Scripting vulnerability (CVE-2025-8046) discovered and disclosed on August 14, 2025. The vulnerability affects the plugin's handling of the $_SERVER['REQUEST_URI'] parameter, which is not properly escaped before being output in an attribute (NVD, WPScan).

The vulnerability stems from insufficient input sanitization and output escaping of the $_SERVER['REQUEST_URI'] parameter. When this parameter is processed and returned in an attribute, it lacks proper escaping mechanisms, potentially allowing for the injection of malicious scripts. The vulnerability has received a CVSS 3.1 Base Score of 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows unauthenticated attackers to inject arbitrary web scripts that execute when users perform specific actions, such as clicking on a malicious link. This could lead to the potential compromise of user data and session information in older web browsers (Rapid7).

Users are advised to update the Injection Guard plugin to version 1.2.8 or later, which contains fixes for this vulnerability (WPScan).