Skip to main content

CVE-2025-49357

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-12-31 audit@patchstack.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
6.5 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 13:15 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in audiomack Audiomack audiomack allows Stored XSS.This issue affects Audiomack: from n/a through <= 1.4.8.

AnalysisAI

Stored cross-site scripting (XSS) in the Audiomack WordPress plugin through version 1.4.8 allows authenticated attackers to inject malicious scripts into web pages, enabling session hijacking, credential theft, or defacement. No active exploitation detected (EPSS 0.04%, low percentile), but the vulnerability affects all installations of the vulnerable plugin versions and persists across page loads due to its stored nature.

Technical ContextAI

This vulnerability represents a CWE-79 (Improper Neutralization of Input During Web Page Generation) flaw in the Audiomack WordPress plugin, a content management and distribution tool. The plugin fails to properly sanitize user-supplied input before storing it in the database and rendering it in the WordPress admin or frontend interfaces. Stored XSS vulnerabilities differ from reflected XSS in that the malicious payload persists in the application database, affecting all users who view the compromised content rather than requiring a targeted delivery mechanism. WordPress plugins operate with direct database access and content rendering privileges, making stored XSS particularly dangerous in the WordPress ecosystem.

Affected ProductsAI

The Audiomack WordPress plugin from version 1.4.8 and earlier are affected. The CPE and exact version range boundaries are not independently confirmed beyond the 'through <= 1.4.8' specification in the vulnerability disclosure. The vulnerability was reported through the Patchstack vulnerability database, which aggregates WordPress plugin security issues. More information is available at https://patchstack.com/database/Wordpress/Plugin/audiomack/vulnerability/wordpress-audiomack-plugin-1-4-8-cross-site-scripting-xss-vulnerability?_s_id=cve.

RemediationAI

Update the Audiomack WordPress plugin to a version newer than 1.4.8 immediately. Patch information and exact fixed versions should be verified through the official WordPress plugin repository or the vendor's advisory at the Patchstack reference link. In the interim, restrict plugin access to trusted administrators only and audit the WordPress database for any suspicious stored content that may indicate previous exploitation. Review admin activity logs for unauthorized content modifications, and consider using WordPress security plugins with XSS filtering capabilities to neutralize malicious scripts before rendering.

Share

CVE-2025-49357 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy