Skip to main content

CVE-2025-49337

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-12-31 audit@patchstack.com
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
5.9 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 18:15 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in janhenckens Dashboard Beacon wp-dashboard-beacon allows Stored XSS.This issue affects Dashboard Beacon: from n/a through <= 1.2.0.

AnalysisAI

Stored cross-site scripting (XSS) in Dashboard Beacon WordPress plugin versions up to 1.2.0 allows authenticated attackers to inject malicious scripts that execute in the browsers of other users, including administrators. The vulnerability stems from improper input neutralization during web page generation, enabling persistent payload storage and execution across user sessions. No public exploit code or active exploitation has been confirmed.

Technical ContextAI

This vulnerability is a Stored XSS flaw (CWE-79: Improper Neutralization of Input During Web Page Generation) in the janhenckels Dashboard Beacon WordPress plugin. WordPress plugins run within the wp-admin and wp-content context, making them capable of modifying dashboard content, user settings, and site configuration. Stored XSS vulnerabilities in this context are particularly dangerous because payloads persist in the database and execute automatically for any user accessing affected pages, including privileged administrators. The root cause is insufficient input validation or output encoding when user-supplied data is stored and later rendered in HTML context without proper sanitization.

Affected ProductsAI

Dashboard Beacon WordPress plugin (CPE: wp:dashboard-beacon) versions from an unspecified baseline through and including version 1.2.0. The plugin is distributed via the official WordPress plugin repository, with vulnerability details available in the Patchstack vulnerability database as referenced.

RemediationAI

Update Dashboard Beacon to a patched version released after 1.2.0. Site administrators should immediately upgrade the plugin through the WordPress dashboard (Plugins > Installed Plugins > Dashboard Beacon > Update) or download the fixed version from wordpress.org/plugins/wp-dashboard-beacon/. If a patched version is not yet available, disable or deactivate the plugin until a fix is released. Review the Patchstack vulnerability advisory at https://patchstack.com/database/Wordpress/Plugin/wp-dashboard-beacon/vulnerability/wordpress-dashboard-beacon-plugin-1-2-0-cross-site-scripting-xss-vulnerability for confirmation of patch availability and timeline.

Share

CVE-2025-49337 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy