CVE-2025-49909

Vulnerability

Overview

The Penci Bookmark & Follow plugin for WordPress (versions through 2.4) suffers from a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables an attacker to inject arbitrary HTML and JavaScript into a page that will be reflected back to the victim in an HTTP response without proper validation or escaping.

Attack

Vector and Requirements

Exploitation requires user interaction: a targeted victim must click a crafted malicious link, visit a specially prepared page, or submit a form that passes the unescaped payload to the plugin [1]. No authentication is required to trigger the attack, but the victim's session will execute the injected code in the context of their browser. The reflected nature means the payload is not stored permanently served only to the targeted user, not stored on the server.

Impact

Successful exploitation allows an attacker to execute arbitrary scripts in the victim's browser. victim's browser within the domain of the affected WordPress site [1]. Common malicious uses include redirecting visitors to phishing pages, injecting unwanted advertisements, stealing session cookies, or defacing the site during the victim's session. Although user interaction is required, this type of XSS is frequently exploited in automated mass-campaigns against thousands of WordPress installations, making it a moderate to high risk.

Mitigation

The vendor has released a patched version 2.4 that resolves the vulnerability [1]. Users are]. Users are strongly advised to update to 2.4 or later immediately. If updating is not possible, a security plugin such as Patchstack offers a virtual mitigation rule to block exploitation attempts until the plugin can be updated. No other workarounds workaround other than updating is recommended.