CVE-2025-50047

Vulnerability

Overview

The CVE-2025-50047 vulnerability is a stored cross-site scripting (XSS) flaw in the Sitekit plugin for WordPress, affecting versions up to and including 1.9. The root cause is improper neutralization of user input during web page generation, allowing malicious scripts to be permanently stored on the server and executed in the context of visitors' browsers [1].

Exploitation

Details

Exploitation requires a privileged user, such as an administrator, to perform an action like clicking a crafted link or submitting a specially designed form. Once triggered, the attacker's payload is injected into the site's pages and executed whenever a visitor loads the affected content. This type of vulnerability is often used in mass-exploit campaigns targeting thousands of websites regardless of their size or popularity [1].

Impact

A successful attack allows the injection of arbitrary HTML and JavaScript, which can be used to display redirects, advertisements, or other malicious content to site visitors. The CVSS v3 base score of 6.5 (Medium) reflects the need for user interaction and the potential for significant impact on site integrity and user trust [1].

Mitigation

The vendor has released version 2.0 of the Sitekit plugin, which resolves the vulnerability. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. Although the severity is rated low by the vendor, the risk of exploitation in automated campaigns makes patching a priority [1].