CVE-2025-49031

2025-07-16 [email protected]
WordPress PHP XSS

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 12:15 nvd
N/A

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Stefan M. SMu Manual DoFollow manuall-dofollow allows Reflected XSS.This issue affects SMu Manual DoFollow: from n/a through <= 1.8.1.

AnalysisAI

Reflected cross-site scripting (XSS) in Stefan M. SMu Manual DoFollow WordPress plugin through version 1.8.1 allows unauthenticated attackers to inject malicious scripts into web pages viewed by site visitors. An attacker can craft a malicious URL and trick users into clicking it, executing arbitrary JavaScript in their browsers within the context of the vulnerable site. No public exploit code has been identified at the time of analysis, and the EPSS score of 0.04% indicates low likelihood of exploitation in the wild, though the vulnerability remains a valid security concern for WordPress administrators.

Technical ContextAI

This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), the canonical cross-site scripting flaw. The SMu Manual DoFollow plugin, which assists WordPress administrators with managing link attributes (specifically DoFollow/NoFollow status), fails to properly sanitize or validate user-supplied input before rendering it in dynamically generated HTML pages. Reflected XSS occurs when unsanitized query parameters or form inputs are directly echoed back to the browser without encoding, allowing attackers to inject arbitrary HTML and JavaScript that executes in the victim's browser session. The plugin's failure to implement output encoding (such as HTML entity encoding or contextual escaping) when displaying user input enables the injection of script tags or event handlers.

Affected ProductsAI

Stefan M. SMu Manual DoFollow WordPress plugin versions up to and including 1.8.1 are affected. The vulnerability has been documented in the Patchstack vulnerability database and affects the plugin across all installation instances where version 1.8.1 or earlier is deployed. WordPress site administrators using this plugin to manage link DoFollow/NoFollow attributes should verify their installed version against the affected range.

RemediationAI

Update the SMu Manual DoFollow plugin to a version released after 1.8.1 as provided by Stefan M. in the official WordPress plugin repository. Site administrators should access their WordPress dashboard, navigate to the Plugins section, and update the plugin to the latest available version. If a patched version is not yet available or the plugin has been abandoned, disable the plugin entirely and consider alternative link management solutions. For additional vulnerability details and patch availability status, refer to the Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/manuall-dofollow/vulnerability/wordpress-smu-manual-dofollow-plugin-1-8-1-reflected-cross-site-scripting-xss-vulnerability.

Share

CVE-2025-49031 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy