Skip to main content

Penci Bookmark & Follow CVE-2025-49909

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-11-06 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

6
Analysis Updated
Apr 24, 2026 - 00:55 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
Severity Changed
Apr 23, 2026 - 15:43 NVD
MEDIUM HIGH
CVSS changed
Apr 23, 2026 - 15:43 NVD
6.1 (MEDIUM) 7.1 (HIGH)
Analysis Generated
Mar 28, 2026 - 19:20 vuln.today
CVE Published
Nov 06, 2025 - 16:15 nvd
MEDIUM 6.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Bookmark & Follow penci-bookmark-follow allows Reflected XSS.This issue affects Penci Bookmark & Follow: from n/a through < 2.4.

AnalysisAI

Reflected cross-site scripting in Penci Bookmark & Follow WordPress plugin (versions before 2.4) allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. The vulnerability requires user interaction but no authentication, enabling attackers to steal session tokens, perform actions as the victim, or deliver phishing content. EPSS score of 0.02% (6th percentile) indicates low observed exploitation activity, with no CISA KEV listing or public exploit code identified at time of analysis.

Technical ContextAI

The vulnerability affects Penci Bookmark & Follow, a WordPress plugin that enables social bookmarking and user following functionality. Classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), this reflected XSS flaw occurs when user-supplied input is echoed back in HTTP responses without proper encoding or validation. Unlike stored XSS, reflected XSS requires the victim to click a malicious link, making it dependent on social engineering but still effective in targeted attacks. The CVSS vector indicates network-based exploitation with low attack complexity, requiring no special privileges but necessitating user interaction. The changed scope (S:C) indicates the vulnerability can affect resources beyond the vulnerable component's security scope, typical of XSS where attacker code executes in the victim's browser context.

Affected ProductsAI

Penci Bookmark & Follow WordPress plugin versions prior to 2.4 are confirmed vulnerable. The vulnerability was reported by Patchstack's audit team and documented in their vulnerability database. Organizations running this plugin should verify their installed version through WordPress admin dashboard under Plugins section. The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/penci-bookmark-follow/vulnerability/wordpress-penci-bookmark-follow-plugin-2-4-cross-site-scripting-xss-vulnerability provides additional technical details.

RemediationAI

Upgrade Penci Bookmark & Follow plugin to version 2.4 or later, which addresses the reflected XSS vulnerability. WordPress administrators can update through the WordPress admin dashboard (Dashboard → Plugins → Installed Plugins, locate Penci Bookmark & Follow, click Update Now) or via WP-CLI using 'wp plugin update penci-bookmark-follow'. Until patching, implement compensating controls: configure WordPress Content Security Policy headers to restrict inline script execution using plugins like Content Security Policy Manager (may break legitimate plugin functionality requiring inline scripts - test in staging first), enable WordPress security plugins with XSS filtering capabilities such as Wordfence or Sucuri (adds performance overhead and potential false positives), or restrict plugin access to trusted administrative users only by removing public-facing bookmark/follow features through theme customization (eliminates user-facing functionality). Verify patch effectiveness by testing previously vulnerable endpoints with XSS payloads in a controlled environment. Patchstack advisory available at https://patchstack.com/database/Wordpress/Plugin/penci-bookmark-follow/vulnerability/wordpress-penci-bookmark-follow-plugin-2-4-cross-site-scripting-xss-vulnerability.

Share

CVE-2025-49909 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy