CVE-2025-49266
BaseFortify
Publication date: 2025-06-17
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a reflected Cross Site Scripting (XSS) issue in the WordPress Ultimate Reviews plugin up to version 3.2.14. It allows unauthenticated attackers to inject malicious scripts, such as redirects, advertisements, or other HTML payloads, which execute when site visitors access affected pages. This happens because the plugin improperly neutralizes input during web page generation, enabling attackers to run arbitrary scripts in users' browsers. [1]
How can this vulnerability impact me? :
The vulnerability can impact you by allowing attackers to compromise your website's integrity and user experience. Malicious scripts injected via this vulnerability can redirect users to harmful sites, display unwanted advertisements, or perform other malicious actions in the context of your website. This can lead to loss of user trust, potential data theft, and damage to your site's reputation. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for reflected Cross-Site Scripting (XSS) attack attempts, such as unusual or suspicious script injections in HTTP requests or responses involving the Ultimate Reviews plugin pages. While specific commands are not provided, users are advised to perform server-side malware scanning and professional incident response if compromise is suspected. Additionally, monitoring web server logs for suspicious payloads or using web application security scanners that detect reflected XSS vulnerabilities on affected plugin versions can help identify exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the virtual patch (vPatch) provided by Patchstack to block attacks until the official update can be applied. Users should update the Ultimate Reviews plugin to version 3.2.15 or later, which contains the fix for this vulnerability. Enabling Patchstack's auto-update feature for vulnerable plugins can also help streamline protection. Additionally, conducting professional incident response and server-side malware scanning is recommended if a site is suspected to be compromised. [1]