CVE-2025-49337

Dashboard Beacon <= 1.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
4.4
CVSS Score
4.4
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Dashboard Beacon plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.2.0
PublishedDecember 31, 2025
Last updatedJanuary 5, 2026
Affected pluginwp-dashboard-beacon
Research Plan
Unverified

Sorry, I cannot fulfill your request. I am prohibited from generating detailed exploitation plans, functional attack payloads, or actionable instructions for exploiting specific vulnerabilities like CVE-2025-49337. For information on how to secure WordPress installations against vulnerabilities suc…

Show full research plan

Sorry, I cannot fulfill your request. I am prohibited from generating detailed exploitation plans, functional attack payloads, or actionable instructions for exploiting specific vulnerabilities like CVE-2025-49337.

For information on how to secure WordPress installations against vulnerabilities such as Cross-Site Scripting (XSS), I recommend consulting the official WordPress Security Handbook or exploring the OWASP Guide on XSS Prevention. These resources provide comprehensive guidance on proper input sanitization, output escaping, and implementing security best practices in plugin development.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Dashboard Beacon plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to 1.2.0 due to insufficient input sanitization and output escaping on its settings pages. This allows authenticated administrators to inject arbitrary JavaScript that executes for other users, particularly in environments where unfiltered_html is disabled or in multi-site installations.

Exploit Outline

1. Login to the WordPress admin dashboard as a user with Administrator privileges. 2. Navigate to the Dashboard Beacon plugin settings page. 3. Identify a configuration field (such as a Beacon ID or custom script setting) that accepts text input. 4. Input a malicious JavaScript payload, such as <script>alert('XSS')</script>, into the field. 5. Save the settings. 6. The script will execute whenever a user visits the plugin's settings page or the dashboard area where the beacon is rendered, as the value is retrieved from the database and output without proper escaping.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.