CVE-2025-49075 is a stored Cross-site Scripting (XSS) vulnerability identified in the PickPlugins Wishlist product, affecting versions up to 1.0.43. The vulnerability stems from improper neutralization of input during web page generation, classified under CWE-79. This means that user-supplied input is not adequately sanitized or encoded before being included in the HTML output, allowing an attacker to inject malicious scripts that are stored on the server and executed in the browsers of users who view the affected pages. The CVSS 3.1 base score is 6.5, indicating a medium severity level. The vector details (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L) show that the attack can be performed remotely over the network with low attack complexity, requires low privileges, and user interaction is needed (e.g., a victim must view the malicious content). The scope is changed, meaning the vulnerability affects resources beyond the initially vulnerable component. The impact affects confidentiality, integrity, and availability to a limited extent, as the injected scripts can steal session tokens, manipulate content, or perform actions on behalf of the user. No known exploits are currently reported in the wild, and no patches have been linked yet. Stored XSS vulnerabilities are particularly dangerous because the malicious payload persists on the server and can affect multiple users over time. PickPlugins Wishlist is a plugin commonly used in WordPress environments to manage user wishlists, often in e-commerce or content-heavy websites. The vulnerability could be exploited by attackers to conduct phishing, session hijacking, or deliver malware via the affected web application.

For European organizations, especially those operating e-commerce platforms or content management systems using PickPlugins Wishlist, this vulnerability poses a risk of client-side attacks that can compromise user data and trust. Attackers could exploit the stored XSS to steal authentication cookies or tokens, leading to account takeover or unauthorized transactions. The integrity of displayed content can be compromised, potentially damaging brand reputation. Availability impact is limited but could occur if injected scripts perform disruptive actions. Given the medium CVSS score and the requirement for some user interaction, the threat is moderate but should not be underestimated, particularly for organizations handling sensitive customer information or regulated data under GDPR. Exploitation could also lead to regulatory penalties if personal data is compromised. Since no patches are currently available, organizations must be vigilant in monitoring and mitigating exposure.

1. Immediate mitigation should include disabling or restricting the PickPlugins Wishlist plugin until a patch is available. 2. Implement Web Application Firewall (WAF) rules to detect and block typical XSS payloads targeting the affected endpoints. 3. Conduct thorough input validation and output encoding on all user-supplied data related to wishlist entries, ensuring HTML special characters are properly escaped. 4. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 5. Monitor logs for unusual activity or injection attempts related to wishlist features. 6. Educate users and administrators about the risks of clicking suspicious links or interacting with untrusted content. 7. Once a patch is released, prioritize prompt testing and deployment. 8. Review and harden user privilege assignments to minimize the impact of low privilege exploitation. 9. Regularly audit and update all plugins to reduce the attack surface.