CVE-2025-47593 is a medium-severity vulnerability classified under CWE-79, which pertains to improper neutralization of input during web page generation, commonly known as Cross-site Scripting (XSS). This vulnerability affects the "Really Simple Under Construction Page" plugin developed by Jonas Hjalmarsson, specifically versions up to 1.4.6. The flaw allows an attacker to inject malicious scripts that are stored and later executed in the context of users visiting the affected web page. The vulnerability is characterized as a Stored XSS, meaning that the malicious payload is saved on the server and served to users, increasing the potential impact compared to reflected XSS. The CVSS 3.1 score is 5.9, indicating a medium severity level, with the vector AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. This means the attack can be performed remotely over the network with low attack complexity but requires high privileges and user interaction. The scope is changed (S:C), indicating that the vulnerability affects resources beyond the initially vulnerable component. The impact on confidentiality, integrity, and availability is low to medium, as the attacker can execute scripts that may steal user data, manipulate content, or disrupt service. No known exploits are currently reported in the wild, and no patches or mitigations are linked yet. The vulnerability was published on May 7, 2025, and has been enriched by CISA, indicating recognition by US cybersecurity authorities. The vulnerability arises from insufficient input sanitization or output encoding during web page generation, allowing malicious JavaScript to be injected and executed in users' browsers.

For European organizations using the Really Simple Under Construction Page plugin, this vulnerability poses a risk of client-side attacks that can lead to session hijacking, credential theft, or unauthorized actions performed on behalf of users. Since the vulnerability requires high privileges to exploit, it is most dangerous if an attacker has already compromised an administrative account or can trick an authorized user into executing the payload. The scope change means that the impact can extend beyond the plugin itself, potentially affecting other parts of the web application or connected systems. This can undermine user trust, lead to data breaches involving personal or sensitive information protected under GDPR, and cause reputational damage. Additionally, availability impacts, though low, could disrupt service during exploitation. The lack of known exploits suggests a window of opportunity for organizations to patch or mitigate before active attacks occur. However, the requirement for user interaction means phishing or social engineering could be used to trigger the exploit, increasing the threat surface. Organizations with public-facing websites employing this plugin are particularly at risk, especially those in sectors handling sensitive data such as finance, healthcare, and government services.

1. Immediate mitigation should include restricting administrative access to the Really Simple Under Construction Page plugin to trusted personnel only, minimizing the risk of privilege abuse. 2. Implement strict input validation and output encoding on all user-supplied data within the plugin to prevent script injection. 3. Monitor and audit logs for unusual administrative activities or unexpected content changes in the plugin settings. 4. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected web pages. 5. Disable or remove the plugin if it is not essential, or replace it with a more secure alternative that follows secure coding practices. 6. Educate administrators and users about phishing and social engineering risks that could facilitate exploitation via user interaction. 7. Stay alert for official patches or updates from the vendor and apply them promptly once available. 8. Conduct regular vulnerability scans and penetration tests focusing on web application security to detect similar issues proactively.