CVE-2025-49453
BaseFortify
Publication date: 2025-06-06
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Request Forgery (CSRF) in the WordPress BP Profile as Homepage plugin (versions up to 1.1) that can lead to stored Cross-Site Scripting (XSS). An attacker can trick authenticated users with higher privileges into executing unwanted actions, potentially injecting malicious code that is stored and executed later. This can happen without the attacker needing to be authenticated themselves. [1]
How can this vulnerability impact me? :
The vulnerability can allow attackers to execute malicious code within the context of a higher privileged user, potentially leading to unauthorized actions, data theft, or further compromise of the affected system. Since it involves stored XSS, the malicious code can persist and affect multiple users. This can disrupt normal operations and compromise the security and integrity of your WordPress site. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability is challenging as it involves Cross-Site Request Forgery leading to stored XSS in the BP Profile as Homepage WordPress plugin up to version 1.1. There are no specific commands provided to detect exploitation. Plugin-based malware scanners may be unreliable. It is recommended to monitor for unusual or unauthorized actions performed by authenticated users and consider professional incident response services for thorough detection. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying virtual patching (vPatching) provided by Patchstack, which auto-mitigates the vulnerability even without an official fix. Since no official patch or fixed version is available, users should consider disabling the vulnerable plugin if possible, restrict access to higher privileged users, and seek professional incident response services if compromise is suspected. [1]