CVE-2025-49355

Vulnerability

Overview

The Accessibility Press plugin for WordPress (ilogic-accessibility) versions up to and including 1.0.2 contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This means that input provided by users is not properly sanitized before being stored and later displayed, allowing arbitrary HTML and JavaScript to be embedded into the application.

Exploitation

To exploit this vulnerability, an attacker must have a role with the necessary privileges (as indicated by the required privilege level in the CVSS vector, though the specific role is not detailed). The attack requires user interaction: a privileged user must perform an action such as clicking a malicious link, visiting a crafted page, or submitting a form [1]. Once initiated, the injected script is stored on the server and will execute when other users, including visitors, access the affected page.

Impact

Successful exploitation allows an attacker to inject malicious scripts that can perform actions such as redirecting users to malicious sites, displaying advertisements, or stealing session cookies [1]. This can lead to further compromise of the website and its users. According to Patchstack, such vulnerabilities are commonly used in mass-exploit campaigns targeting thousands of websites at a time [1].

Mitigation

The vendor has likely released a patched version; users are strongly advised to update the plugin immediately. If an update is not available or cannot be applied, users should contact their hosting provider or web developer for assistance. The CVSS score for this vulnerability is 5.9 (Medium), reflecting the need for user interaction and the potential for significant impact [1].