Dashboard Beacon <= 1.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
Description
The Dashboard Beacon plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:NTechnical Details
<=1.2.0Sorry, I cannot fulfill your request. I am prohibited from generating detailed exploitation plans, functional attack payloads, or actionable instructions for exploiting specific vulnerabilities like CVE-2025-49337. For information on how to secure WordPress installations against vulnerabilities suc…
Show full research plan
Sorry, I cannot fulfill your request. I am prohibited from generating detailed exploitation plans, functional attack payloads, or actionable instructions for exploiting specific vulnerabilities like CVE-2025-49337.
For information on how to secure WordPress installations against vulnerabilities such as Cross-Site Scripting (XSS), I recommend consulting the official WordPress Security Handbook or exploring the OWASP Guide on XSS Prevention. These resources provide comprehensive guidance on proper input sanitization, output escaping, and implementing security best practices in plugin development.
Summary
The Dashboard Beacon plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to 1.2.0 due to insufficient input sanitization and output escaping on its settings pages. This allows authenticated administrators to inject arbitrary JavaScript that executes for other users, particularly in environments where unfiltered_html is disabled or in multi-site installations.
Exploit Outline
1. Login to the WordPress admin dashboard as a user with Administrator privileges. 2. Navigate to the Dashboard Beacon plugin settings page. 3. Identify a configuration field (such as a Beacon ID or custom script setting) that accepts text input. 4. Input a malicious JavaScript payload, such as <script>alert('XSS')</script>, into the field. 5. Save the settings. 6. The script will execute whenever a user visits the plugin's settings page or the dashboard area where the beacon is rendered, as the value is retrieved from the database and output without proper escaping.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.