CVE-2025-46494
Published: 07 January 2026
Summary
CVE-2025-46494 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-46494 is an improper neutralization of input during web page generation vulnerability, enabling reflected cross-site scripting (XSS) as classified under CWE-79, in the Themesgrove WidgetKit Pro (widgetkit-pro) WordPress plugin. This issue affects all versions from n/a through 1.13.1 inclusive. The vulnerability was published on 2026-01-07T13:15:43.423 and carries a CVSS v3.1 base score of 7.1.
Attackers can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) but user interaction (UI:R), resulting in a changed scope (S:C) and low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L). A remote unauthenticated attacker could trick a user into interacting with a maliciously crafted link or input reflected in the plugin's output, leading to arbitrary JavaScript execution in the victim's browser context.
Patchstack provides details on this WordPress plugin vulnerability at https://patchstack.com/database/Wordpress/Plugin/widgetkit-pro/vulnerability/wordpress-widgetkit-pro-plugin-1-13-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve, which security practitioners should review for recommended mitigations such as applying available patches or workarounds.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1219
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themesgrove WidgetKit Pro widgetkit-pro allows Reflected XSS.This issue affects WidgetKit Pro: from n/a through <= 1.13.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables remote exploitation of a web application (T1190) and arbitrary JavaScript execution in the victim browser (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of all inputs before they are used in web page generation, blocking the unsanitized reflected input that enables this reflected XSS.
Requires filtering of information outputs to remove or neutralize potentially malicious content such as script tags before they are reflected to the user's browser.
Enforces information flow policies that can mediate and sanitize data flows between untrusted inputs and web page outputs, limiting the plugin's ability to reflect raw attacker-controlled content.