CVE-2025-49337

2025-12-31 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 18:15 nvd
N/A

Tags

WordPress PHP XSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in janhenckens Dashboard Beacon wp-dashboard-beacon allows Stored XSS.This issue affects Dashboard Beacon: from n/a through <= 1.2.0.

Analysis

Stored cross-site scripting (XSS) in Dashboard Beacon WordPress plugin versions up to 1.2.0 allows authenticated attackers to inject malicious scripts that execute in the browsers of other users, including administrators. The vulnerability stems from improper input neutralization during web page generation, enabling persistent payload storage and execution across user sessions. No public exploit code or active exploitation has been confirmed.

Technical Context

This vulnerability is a Stored XSS flaw (CWE-79: Improper Neutralization of Input During Web Page Generation) in the janhenckels Dashboard Beacon WordPress plugin. WordPress plugins run within the wp-admin and wp-content context, making them capable of modifying dashboard content, user settings, and site configuration. Stored XSS vulnerabilities in this context are particularly dangerous because payloads persist in the database and execute automatically for any user accessing affected pages, including privileged administrators. The root cause is insufficient input validation or output encoding when user-supplied data is stored and later rendered in HTML context without proper sanitization.

Affected Products

Dashboard Beacon WordPress plugin (CPE: wp:dashboard-beacon) versions from an unspecified baseline through and including version 1.2.0. The plugin is distributed via the official WordPress plugin repository, with vulnerability details available in the Patchstack vulnerability database as referenced.

Remediation

Update Dashboard Beacon to a patched version released after 1.2.0. Site administrators should immediately upgrade the plugin through the WordPress dashboard (Plugins > Installed Plugins > Dashboard Beacon > Update) or download the fixed version from wordpress.org/plugins/wp-dashboard-beacon/. If a patched version is not yet available, disable or deactivate the plugin until a fix is released. Review the Patchstack vulnerability advisory at https://patchstack.com/database/Wordpress/Plugin/wp-dashboard-beacon/vulnerability/wordpress-dashboard-beacon-plugin-1-2-0-cross-site-scripting-xss-vulnerability for confirmation of patch availability and timeline.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-49337 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy