CVE-2025-49358
Lifecycle Timeline
2Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ruhul Amin Content Fetcher content-fetcher allows DOM-Based XSS.This issue affects Content Fetcher: from n/a through <= 1.1.
Analysis
DOM-based cross-site scripting (XSS) vulnerability in Ruhul Amin Content Fetcher WordPress plugin versions 1.1 and earlier allows authenticated attackers to inject arbitrary JavaScript code into web pages, potentially compromising site integrity and user sessions. The vulnerability resides in improper input neutralization during web page generation, enabling malicious scripts to execute in the context of affected websites. EPSS exploitation probability is extremely low at 0.01% (3rd percentile), indicating minimal real-world attack likelihood despite the XSS vector.
Technical Context
The vulnerability is a DOM-based cross-site scripting flaw (CWE-79) in the Ruhul Amin Content Fetcher WordPress plugin, which is a content aggregation/fetching utility. DOM-based XSS occurs when the plugin processes user-controlled input in the Document Object Model (DOM) without proper sanitization or encoding, allowing malicious scripts embedded in URLs or form parameters to be executed client-side. The affected component handles web page generation and content retrieval; improper neutralization of input during this process creates the attack surface. This type of vulnerability is distinct from stored or reflected XSS because the malicious payload is processed entirely in the browser's DOM, often leveraging JavaScript frameworks or jQuery selectors without context-aware output encoding.
Affected Products
Ruhul Amin Content Fetcher WordPress plugin versions 1.1 and earlier (all versions from initial release through 1.1). The plugin is distributed via the WordPress plugin repository and identified in the Patchstack database. Exact CPE string for WordPress plugins is typically wp:wordpress:content-fetcher, though version-specific CPE data is limited in the provided references.
Remediation
Update the Content Fetcher plugin to a patched version released after 1.1. Users should navigate to WordPress admin dashboard, go to Plugins, search for 'Content Fetcher,' and click 'Update' if a new version is available. If no update is available, temporarily disable the plugin until a security patch is released. Input validation and output encoding should be applied to all user-controllable content rendered in the DOM; plugin developers should implement WordPress sanitization functions (sanitize_text_field, wp_kses_post) for input and escaping functions (esc_attr, esc_html) for output. Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/content-fetcher/vulnerability/wordpress-content-fetcher-plugin-1-1-cross-site-scripting-xss-vulnerability for ongoing updates.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today