CVE-2025-49355

2025-12-31 [email protected]

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 18:15 nvd
N/A

Tags

WordPress PHP XSS

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ikaes Accessibility Press ilogic-accessibility allows Stored XSS.This issue affects Accessibility Press: from n/a through <= 1.0.2.

Analysis

Stored XSS vulnerability in ikaes Accessibility Press plugin (ilogic-accessibility) versions through 1.0.2 allows authenticated attackers to inject arbitrary JavaScript that executes in the browsers of other site visitors, potentially compromising user sessions, stealing credentials, or defacing content. The vulnerability stems from improper input sanitization during web page generation and carries a low exploitation probability (EPSS 0.04th percentile) with no confirmed active exploitation.

Technical Context

The vulnerability is a Stored Cross-Site Scripting (CWE-79) flaw in the ilogic-accessibility WordPress plugin, which is part of the ikaes Accessibility Press suite. The root cause is the failure to properly neutralize user-supplied input before rendering it in dynamically generated web pages. Unlike reflected XSS, stored XSS persists in the application's database, affecting all subsequent visitors who view the compromised content. The plugin's input validation and output encoding mechanisms are insufficient to prevent malicious script injection, allowing attackers to bypass WordPress security filters through improper handling of potentially dangerous input during the web page generation phase.

Affected Products

The ikaes Accessibility Press plugin (WordPress plugin slug ilogic-accessibility) is affected in all versions from the initial release through version 1.0.2 inclusive. The vulnerability was identified and reported by Patchstack's audit team, with details available in the Patchstack vulnerability database. WordPress administrators running this plugin on any version up to and including 1.0.2 should assume their installations are vulnerable.

Remediation

Update the ikaes Accessibility Press plugin to a version newer than 1.0.2 if available from the plugin repository or vendor. WordPress administrators should navigate to the Plugins page in the WordPress admin dashboard, locate ilogic-accessibility, and click Update if a patched version is available. If no patched version exists beyond 1.0.2, consider disabling and removing the plugin until a security update is released, or review the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/ilogic-accessibility/vulnerability/wordpress-accessibility-press-plugin-1-0-2-cross-site-scripting-xss-vulnerability for vendor contact information and timeline. As a temporary mitigation, restrict plugin capabilities to highly trusted administrator accounts only, though this does not eliminate the vulnerability.

Priority Score

0
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +0
POC: 0

Share

CVE-2025-49355 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy