Attack Vectors
CVE-2025-47604 is a Medium severity (CVSS 6.4) Stored Cross-Site Scripting (XSS) vulnerability affecting the Inline Related Posts WordPress plugin (intelly-related-posts) in versions up to and including 3.8.0.
The primary attack path is through a user who already has a WordPress account with Contributor-level access or higher. In many organizations, contributors include internal staff, agencies, freelancers, or partners who may legitimately create or edit content but should not be able to run scripts on your site.
Because this is stored XSS, the malicious code is saved in the site’s content and can execute automatically when a page is viewed—potentially impacting executives, employees, customers, and prospects who simply visit an affected page.
Security Weakness
The issue is caused by insufficient input sanitization and output escaping in Inline Related Posts versions ≤ 3.8.0. In practical terms, the plugin does not adequately prevent unsafe content from being saved and later rendered as active code in a visitor’s browser.
This weakness matters operationally because WordPress permission models often assume “contributors can write content but can’t execute code.” A stored XSS flaw breaks that assumption and can turn content access into a pathway for misuse.
Technical or Business Impacts
Brand and customer trust risk: Visitors could be exposed to malicious pop-ups, redirects, or spoofed forms that appear to be part of your website. Even a brief incident can erode confidence and reduce conversion rates.
Data and account risk: Depending on who views the infected page, scripts may be used to target logged-in users (including admins) to perform unwanted actions in their browser session or to attempt to capture sensitive information. The CVSS vector indicates impacts to confidentiality and integrity are possible.
Compliance and reporting exposure: If a malicious script results in data exposure or unauthorized actions, the business may face internal compliance escalations, customer notifications, contractual obligations, or regulatory scrutiny—especially if the site supports lead capture, customer portals, or ecommerce workflows.
Remediation: Update Inline Related Posts to version 3.9.0 or newer (patched). Reference: CVE-2025-47604 and the vendor advisory context from Wordfence.
Similar Attacks
Stored XSS vulnerabilities in WordPress plugins have repeatedly been used to damage brands and compromise site visitors. Examples include:
Recent Comments