CVE-2025-49336
BaseFortify
Publication date: 2026-01-22
Last updated on: 2026-04-27
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pondol | pondol_bbs | to 1.1.8.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-49336 is a Stored Cross Site Scripting (XSS) vulnerability in the WordPress Pondol BBS Plugin versions up to and including 1.1.8.4. It allows an attacker to inject malicious scripts into web pages generated by the plugin. These scripts can execute when site visitors access the affected pages. Exploitation requires a privileged user, such as an Editor or Developer, to interact with a malicious link, page, or form. This vulnerability is classified under OWASP Top 10 A3: Injection and has a CVSS severity score of 5.9, indicating a low priority threat. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability can allow attackers to execute malicious scripts on the website, potentially leading to unauthorized redirects, display of unwanted advertisements, or other harmful HTML payloads. However, exploitation requires interaction by a privileged user, which lowers the risk. The impact includes possible compromise of site integrity and user trust, but the overall risk is considered low due to the required conditions for exploitation. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for attempts to inject malicious scripts via user inputs in the Pondol BBS plugin, especially from privileged users. Since exploitation requires user interaction such as clicking malicious links or submitting crafted forms, you can detect suspicious activity by reviewing web server logs for unusual input patterns or script tags in requests. Additionally, manual testing by submitting payloads containing script tags in input fields of the affected plugin version may help identify the vulnerability. There are no specific commands provided for detection. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting privileged user actions to trusted users only, educating users about the risks of clicking unknown links or submitting untrusted forms, and implementing web application firewalls (WAF) to filter out malicious script injections. Since no official fix or patched version is currently available, consider disabling or limiting the use of the Pondol BBS plugin until a patch is released. Regularly monitor for updates from the vendor or security advisories. [1]