Login Sign Up

CVE-2025-46229

5.9 MEDIUM
Cross-Site Scripting

📋 TL;DR

This stored cross-site scripting (XSS) vulnerability in the Textmetrics WordPress plugin allows attackers to inject malicious scripts into web pages. When users view affected pages, the scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. WordPress sites using Textmetrics versions up to 3.6.2 are affected.

💻 Affected Systems

Products:
  • Textmetrics WordPress plugin
Versions: n/a through 3.6.2
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: All WordPress installations with vulnerable Textmetrics plugin versions are affected regardless of configuration.

📦 What is this software?

Textmetrics by Textmetrics

View all CVEs affecting Textmetrics →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, take over WordPress sites, deface websites, or redirect users to malicious sites, leading to complete site compromise and data theft.

🟠

Likely Case

Attackers inject malicious JavaScript that steals user session cookies or credentials when users visit compromised pages, potentially leading to account takeover.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts would be neutralized before reaching users' browsers, preventing exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

XSS vulnerabilities are commonly exploited, and proof-of-concept details are publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.6.3 or later

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/webtexttool/vulnerability/wordpress-textmetrics-3-6-2-cross-site-scripting-xss-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Textmetrics plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download latest version from WordPress repository and replace plugin files.

🔧 Temporary Workarounds

Disable Textmetrics plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate textmetrics

Implement Content Security Policy

all

Add CSP headers to restrict script execution sources

Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Add to nginx config: add_header Content-Security-Policy "default-src 'self'; script-src 'self'";

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block XSS payloads
  • Disable user input fields that accept HTML/JavaScript in Textmetrics settings

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin > Plugins > Installed Plugins for Textmetrics version. If version is 3.6.2 or earlier, you are vulnerable.

Check Version:

wp plugin get textmetrics --field=version

Verify Fix Applied:

After updating, verify Textmetrics plugin version shows 3.6.3 or later in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to Textmetrics endpoints with script tags
  • Multiple failed XSS attempts in web server logs

Network Indicators:

  • HTTP requests containing <script> tags to Textmetrics plugin URLs
  • Outbound connections to suspicious domains from your WordPress site

SIEM Query:

source="web_server" AND (uri="*textmetrics*" AND (body="*<script>*" OR body="*javascript:*"))

📊 Metadata

CVE ID: CVE-2025-46229
CVSS v3 Score: 5.9 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
CWE: CWE-79
EPSS Score: 0.04% exploit probability (12.7th percentile)
Published: April 22, 2025
Last Updated: April 30, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-46229, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)