The vulnerability CVE-2025-49948 in WP Super Edit plugin is caused by improper input sanitization during web page generation, resulting in a reflected cross-site scripting (XSS) flaw. This allows an attacker to craft malicious input that is reflected back in the web page without proper neutralization, potentially executing arbitrary scripts in the victim's browser. The affected versions include all releases up to 2.5.4. The CVSS v3.1 base score is 7.1, indicating a high severity with network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and impacts on confidentiality, integrity, and availability at a low level.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the context of the victim's browser session. This may lead to limited disclosure of information, modification of data, or disruption of service within the scope of the affected application. The reflected XSS requires user interaction and does not require privileges, but the scope is changed, meaning the impact extends beyond the vulnerable component.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or removing the WP Super Edit plugin if feasible, or applying web application firewall (WAF) rules to detect and block reflected XSS attempts targeting this plugin. Monitor official Ahmad Awais or WP Super Edit channels for updates and patches.