CVE-2025-46502
📋 TL;DR
This vulnerability combines Cross-Site Request Forgery (CSRF) with Cross-Site Scripting (XSS) in the LSD Custom taxonomy and category meta WordPress plugin. Attackers can trick authenticated administrators into executing malicious actions that inject JavaScript into WordPress pages. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- LSD Custom taxonomy and category meta WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could hijack administrator sessions, install backdoors, steal sensitive data, deface websites, or redirect users to malicious sites through persistent XSS payloads.
Likely Case
Attackers create fake admin interfaces or forms that trick logged-in administrators into executing actions that inject malicious scripts into WordPress pages, affecting all site visitors.
If Mitigated
With proper CSRF tokens and input validation, the attack chain would be broken, preventing exploitation.
🎯 Exploit Status
Exploit requires social engineering to trick authenticated users, but technical execution is straightforward once the user is tricked.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.3 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'LSD Custom taxonomy and category meta'. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.3.3+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable the plugin until patched
wp plugin deactivate custom-taxonomy-category-and-term-fields
Implement CSRF protection
allAdd WordPress nonce verification to plugin forms
Manual code modification required - add wp_nonce_field() and wp_verify_nonce() calls
🧯 If You Can't Patch
- Disable the plugin entirely if not essential
- Implement web application firewall with XSS and CSRF protection rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'LSD Custom taxonomy and category meta' versionCheck Version:
wp plugin get custom-taxonomy-category-and-term-fields --field=versionVerify Fix Applied:
Verify plugin version is 1.3.3 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to WordPress admin-ajax.php or admin-post.php with plugin-specific parameters
- Multiple failed nonce verification attempts
Network Indicators:
- External domains loading in iframes on admin pages
- Suspicious JavaScript injection in form submissions
SIEM Query:
source="wordpress" AND (uri_path="/wp-admin/admin-ajax.php" OR uri_path="/wp-admin/admin-post.php") AND (param="custom_taxonomy" OR param="category_meta")