CVE-2025-48304 Overview
CVE-2025-48304 is a Cross-Site Request Forgery (CSRF) vulnerability [CWE-352] in the Gary Illyes Google XML News Sitemap plugin (gn-xml-sitemap) for WordPress. The flaw chains into a Stored Cross-Site Scripting (XSS) condition, allowing attackers to persist malicious script payloads through forged administrator requests. The vulnerability affects all versions of the plugin up to and including 0.02.
Critical Impact
Attackers can trick authenticated administrators into submitting forged requests that store malicious JavaScript in plugin settings, leading to session hijacking, privilege abuse, and persistent compromise of WordPress sites.
Affected Products
- Gary Illyes Google XML News Sitemap plugin (gn-xml-sitemap)
- All versions from n/a through 0.02
- WordPress installations using this plugin
Discovery Timeline
- 2025-08-28 - CVE-2025-48304 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2025-48304
Vulnerability Analysis
The vulnerability combines two distinct weaknesses into a single attack chain. The plugin processes state-changing requests without verifying anti-CSRF tokens, and it stores user-controllable input without proper sanitization or output encoding. An attacker who lures an authenticated WordPress administrator to a malicious page can issue background requests that modify plugin settings on behalf of the victim. The injected payload then executes whenever an administrator loads the affected plugin page in the WordPress dashboard.
Stored XSS in an administrative context is particularly impactful because it executes with the privileges of any administrator who views the affected page. This enables attackers to create new administrative users, exfiltrate session cookies, modify site content, or pivot to deeper compromise of the WordPress installation.
Root Cause
The root cause is the absence of CSRF protection mechanisms such as WordPress nonce verification using wp_verify_nonce() or check_admin_referer() on the plugin's settings handlers. Compounding this, the plugin fails to sanitize input through functions such as sanitize_text_field() and does not escape output using esc_html() or esc_attr() when rendering stored values back to the page.
Attack Vector
Exploitation requires user interaction. An attacker hosts a crafted page containing an auto-submitting form or fetch request targeting the vulnerable plugin endpoint. When a logged-in administrator visits the attacker-controlled page, the browser sends the forged request with the administrator's session cookies. The plugin accepts the request without validating its origin and stores the attacker-supplied JavaScript payload. The payload subsequently executes in any administrator's browser session that renders the affected settings page. See the Patchstack WordPress Vulnerability Report for technical details.
Detection Methods for CVE-2025-48304
Indicators of Compromise
- Unexpected <script> tags or JavaScript event handlers stored in plugin configuration values within the wp_options table
- Outbound HTTP requests from administrator browsers to unfamiliar third-party domains following access to the WordPress dashboard
- Creation of new administrator-level WordPress accounts without corresponding audit log entries
- Modifications to plugin settings without matching entries in administrator activity logs
Detection Strategies
- Audit the wp_options table for plugin-related option rows containing HTML tags, javascript: URIs, or event handler attributes such as onerror= or onload=
- Inspect web server access logs for POST requests to plugin admin endpoints lacking a same-origin Referer header
- Monitor WordPress administrator sessions for anomalous client-side script execution and unexpected DOM modifications
Monitoring Recommendations
- Enable WordPress security plugin logging to capture changes to plugin options and administrative actions
- Implement Content Security Policy (CSP) headers to surface inline script execution attempts in browser violation reports
- Track administrator account creation and role escalation events through centralized logging
How to Mitigate CVE-2025-48304
Immediate Actions Required
- Deactivate and remove the Gary Illyes Google XML News Sitemap plugin (gn-xml-sitemap) until a patched version is available
- Audit plugin configuration values in the database and remove any stored JavaScript payloads
- Review WordPress user accounts and revoke any unauthorized administrator privileges created during the exposure window
- Force password resets and session invalidation for all administrator accounts
Patch Information
No official patch is currently listed for this plugin. The vulnerability affects all versions through 0.02, and no fixed release has been identified at the time of NVD publication. Site operators should remove the plugin and consider alternative sitemap solutions that receive active security maintenance.
Workarounds
- Restrict access to /wp-admin/ using IP allowlisting at the web server or WAF layer to limit CSRF exposure
- Deploy a Web Application Firewall rule that blocks state-changing requests to the plugin's admin endpoints lacking valid WordPress nonces
- Enforce a strict Content Security Policy that disallows inline scripts in the WordPress administration interface
- Replace the plugin with an actively maintained sitemap solution
# Configuration example: remove the vulnerable plugin via WP-CLI
wp plugin deactivate gn-xml-sitemap
wp plugin delete gn-xml-sitemap
# Audit wp_options for suspicious script content
wp db query "SELECT option_name, option_value FROM wp_options WHERE option_value LIKE '%<script%' OR option_value LIKE '%javascript:%';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
