Skip to main content

WordPress CVE-2025-49312

| EUVDEUVD-2025-28293 HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-06-17 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
EUVD ID Assigned
Mar 14, 2026 - 22:15 euvd
EUVD-2025-28293
Analysis Generated
Mar 14, 2026 - 22:15 vuln.today
CVE Published
Jun 17, 2025 - 15:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodeRevolution Echo RSS Feed Post Generator Plugin for WordPress allows Reflected XSS. This issue affects Echo RSS Feed Post Generator Plugin for WordPress: from n/a through 5.4.8.1.

AnalysisAI

Reflected Cross-Site Scripting (XSS) vulnerability in the CodeRevolution Echo RSS Feed Post Generator Plugin for WordPress affecting versions through 5.4.8.1. An unauthenticated attacker can inject malicious scripts into web pages viewed by users with no special privileges required, potentially leading to session hijacking, credential theft, or malware distribution. The CVSS 7.1 score reflects the moderate severity with network attack vector and user interaction requirement.

Technical ContextAI

This vulnerability stems from improper input neutralization (CWE-79) during dynamic web page generation in the WordPress plugin ecosystem. The Echo RSS Feed Post Generator plugin processes RSS feed data and generates WordPress posts without adequate output encoding or input validation. The reflected nature of this XSS indicates the malicious payload is not stored in the database but rather passed through request parameters (query strings, form data, or HTTP headers) and reflected back to the victim's browser without sanitization. WordPress plugins operating within the wp-admin and frontend contexts must adhere to strict sanitization (sanitize_text_field, wp_kses_post) and escaping (esc_html, esc_attr, wp_kses_data) practices. The vulnerability likely exists in RSS feed URL handling, feed content parsing, or configuration parameter processing where user-controlled input reaches output functions without proper escaping using WordPress's native sanitization APIs.

RemediationAI

Immediate remediation steps: (1) Update the Echo RSS Feed Post Generator plugin to version 5.4.8.2 or later (version number to be confirmed from vendor release notes—patch version must exceed 5.4.8.1). (2) If patch is unavailable, disable the plugin: wp-cli plugin deactivate echo-rss-feed-post-generator, then delete or quarantine. (3) For affected sites, conduct security audit of generated posts for injected scripts. Workarounds pending patch: (1) Implement WordPress security headers (Content-Security-Policy) to restrict inline script execution, reducing XSS impact scope. (2) Apply Web Application Firewall (WAF) rules to filter XSS payloads in RSS feed URLs and POST parameters. (3) Restrict RSS feed source URLs to trusted, validated domains only via plugin settings. (4) Monitor user activity logs for suspicious parameter values in feed processing requests. Refer to official CodeRevolution security advisory and WordPress.org plugin repository for patch availability and vendor guidance.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2025-49312 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy