The vulnerability CVE-2025-48343 affects the Aaron Axelsen WPMU Ldap Authentication plugin (versions ≤ 5.0.1). It is a Cross-Site Request Forgery (CSRF) flaw that enables stored Cross-Site Scripting (XSS) attacks. The issue arises because the plugin does not adequately verify the origin of requests, allowing attackers to trick authenticated users into submitting malicious requests that result in persistent XSS payloads. The CVSS 3.1 vector indicates the attack can be performed remotely over the network with low complexity and no privileges, but requires user interaction. The vulnerability impacts confidentiality, integrity, and availability of the affected system. No patch or vendor advisory is currently available to confirm remediation status.

Successful exploitation can lead to stored XSS via CSRF, allowing attackers to execute arbitrary scripts in the context of authenticated users. This can compromise user confidentiality, integrity of data, and availability of the affected system. The vulnerability does not require privileges but does require user interaction. No known active exploitation has been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should exercise caution with untrusted content and consider disabling or restricting use of the affected plugin. Monitor for vendor updates and apply patches promptly once released.