CVE-2025-50035
BaseFortify
Publication date: 2025-06-20
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-site Scripting (XSS) issue in the WordPress Fyrebox Quizzes plugin up to version 3.0. It allows attackers with at least contributor-level privileges to inject malicious scripts into web pages generated by the plugin. These scripts can execute when visitors access the affected website, potentially causing redirects, displaying unwanted advertisements, or executing other harmful HTML payloads. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability can lead to malicious scripts running in the browsers of visitors to your website. This can result in unwanted redirects, display of malicious advertisements, or other harmful actions that compromise user experience and security. Although the risk is considered low and exploitation is unlikely, attackers may still target vulnerable sites opportunistically. It requires contributor-level access to exploit. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the WordPress site is running Fyrebox Quizzes plugin version 3.0 or earlier, as these versions are vulnerable. Since exploitation requires contributor-level privileges, monitoring for unusual contributor activity or injected scripts in quiz content can help. There are no specific commands provided for detection, but server-side malware scanning and professional incident response are recommended if compromise is suspected. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying virtual patching (vPatching) offered by Patchstack, which provides automatic protection even without an official fix. Additionally, restricting contributor-level privileges, monitoring for suspicious activity, and preparing for professional incident response and server-side malware scanning in case of compromise are advised. Since no official patch is available, these measures help reduce risk. [1]