CVE-2025-49960 is a stored Cross-site Scripting (XSS) vulnerability identified in the LeadBI Plugin for WordPress, specifically affecting versions up to and including 1.7. The vulnerability stems from improper neutralization of user-supplied input during dynamic web page generation, which allows malicious actors to inject and store arbitrary JavaScript code within the plugin's data handling processes. When a victim user accesses the affected page, the malicious script executes in their browser context, potentially leading to session hijacking, credential theft, or unauthorized actions performed with the victim's privileges. The vulnerability requires an attacker to have low privileges (PR:L) on the WordPress site and user interaction (UI:R) to trigger the exploit, but no complex attack conditions or high privileges are necessary. The CVSS 3.1 base score is 6.5, reflecting a medium severity with network attack vector (AV:N), low attack complexity (AC:L), and a scope change (S:C) indicating that the vulnerability affects resources beyond the initially vulnerable component. The impact includes partial loss of confidentiality, integrity, and availability (C:L/I:L/A:L). No public exploits have been reported yet, but the presence of stored XSS in a widely used CMS plugin represents a significant risk, especially for sites with multiple users or administrative interfaces. The vulnerability was reserved in June 2025 and published in October 2025, with no patch links currently available, indicating that remediation may still be pending or in progress.

For European organizations, this vulnerability poses a moderate risk primarily to websites using the LeadBI Plugin on WordPress, which is a popular content management system in Europe. Exploitation could allow attackers to execute malicious scripts in the context of users visiting the affected site, potentially leading to theft of sensitive information such as authentication tokens, unauthorized actions on behalf of users, or defacement of web content. This can damage organizational reputation, lead to regulatory non-compliance (e.g., GDPR breaches if personal data is exposed), and disrupt business operations. The requirement for low privileges and user interaction lowers the barrier for exploitation, increasing the likelihood of targeted attacks against organizations with public-facing WordPress sites. Given the widespread use of WordPress in European small and medium enterprises, e-commerce, and public sector websites, the impact could be significant if not addressed promptly. Additionally, the scope change in the CVSS vector suggests that the vulnerability could affect components beyond the plugin itself, potentially compromising broader site functionality or user data.

1. Monitor official LeadBI Plugin channels and WordPress plugin repositories for security updates and apply patches immediately once available. 2. In the absence of an official patch, consider temporarily disabling or uninstalling the LeadBI Plugin to eliminate exposure. 3. Implement strict input validation and output encoding on all user-supplied data within the plugin’s context to prevent script injection. 4. Employ Web Application Firewalls (WAFs) with rules targeting XSS attack patterns to detect and block malicious payloads. 5. Conduct regular security audits and penetration testing focusing on WordPress plugins and custom code to identify similar vulnerabilities. 6. Educate site administrators and users about the risks of clicking on suspicious links or interacting with untrusted content. 7. Limit user privileges on WordPress sites to the minimum necessary to reduce the attack surface. 8. Enable Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. 9. Monitor logs and user activity for signs of exploitation attempts or unusual behavior related to the plugin. 10. Backup website data regularly to enable recovery in case of compromise.