Penci Bookmark & Follow CVE-2025-49909
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
6DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Bookmark & Follow penci-bookmark-follow allows Reflected XSS.This issue affects Penci Bookmark & Follow: from n/a through < 2.4.
AnalysisAI
Reflected cross-site scripting in Penci Bookmark & Follow WordPress plugin (versions before 2.4) allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. The vulnerability requires user interaction but no authentication, enabling attackers to steal session tokens, perform actions as the victim, or deliver phishing content. EPSS score of 0.02% (6th percentile) indicates low observed exploitation activity, with no CISA KEV listing or public exploit code identified at time of analysis.
Technical ContextAI
The vulnerability affects Penci Bookmark & Follow, a WordPress plugin that enables social bookmarking and user following functionality. Classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), this reflected XSS flaw occurs when user-supplied input is echoed back in HTTP responses without proper encoding or validation. Unlike stored XSS, reflected XSS requires the victim to click a malicious link, making it dependent on social engineering but still effective in targeted attacks. The CVSS vector indicates network-based exploitation with low attack complexity, requiring no special privileges but necessitating user interaction. The changed scope (S:C) indicates the vulnerability can affect resources beyond the vulnerable component's security scope, typical of XSS where attacker code executes in the victim's browser context.
Affected ProductsAI
Penci Bookmark & Follow WordPress plugin versions prior to 2.4 are confirmed vulnerable. The vulnerability was reported by Patchstack's audit team and documented in their vulnerability database. Organizations running this plugin should verify their installed version through WordPress admin dashboard under Plugins section. The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/penci-bookmark-follow/vulnerability/wordpress-penci-bookmark-follow-plugin-2-4-cross-site-scripting-xss-vulnerability provides additional technical details.
RemediationAI
Upgrade Penci Bookmark & Follow plugin to version 2.4 or later, which addresses the reflected XSS vulnerability. WordPress administrators can update through the WordPress admin dashboard (Dashboard → Plugins → Installed Plugins, locate Penci Bookmark & Follow, click Update Now) or via WP-CLI using 'wp plugin update penci-bookmark-follow'. Until patching, implement compensating controls: configure WordPress Content Security Policy headers to restrict inline script execution using plugins like Content Security Policy Manager (may break legitimate plugin functionality requiring inline scripts - test in staging first), enable WordPress security plugins with XSS filtering capabilities such as Wordfence or Sucuri (adds performance overhead and potential false positives), or restrict plugin access to trusted administrative users only by removing public-facing bookmark/follow features through theme customization (eliminates user-facing functionality). Verify patch effectiveness by testing previously vulnerable endpoints with XSS payloads in a controlled environment. Patchstack advisory available at https://patchstack.com/database/Wordpress/Plugin/penci-bookmark-follow/vulnerability/wordpress-penci-bookmark-follow-plugin-2-4-cross-site-scripting-xss-vulnerability.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today