CVE-2025-49357

Vulnerability

The Audiomack WordPress plugin versions up to and including 1.4.8 contain a stored cross-site scripting (XSS) vulnerability due to improper neutralization of input during web page generation [1]. This allows attackers to inject arbitrary web scripts that persist on the site.

Exploitation

Exploitation requires a privileged user to perform an action, such as clicking a malicious link or visiting a crafted page. The vulnerability can be initiated by an attacker with the required privilege level, but successful execution depends on user interaction [1]. This is typical of stored XSS, where the injected payload is stored on the server and later rendered to visitors.

Impact

A successful attack could allow an attacker to inject malicious scripts, including redirects, advertisements, or other HTML payloads. These scripts execute when guests visit the affected site, potentially leading to data theft, defacement, or distribution of malware [1]. The plugin is used in WordPress ecosystems, and this vulnerability is noted as being suitable for mass-exploit campaigns.

Mitigation

Users should immediately update the Audiomack plugin to a patched version beyond 1.4.8. The advisory recommends updating the affected plugin or seeking assistance from hosting providers or web developers if unable to update [1]. No workaround is detailed in the reference.