What the vulnerability does
01Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PickPlugins Wishlist wishlist allows Stored XSS.This issue affects Wishlist: from n/a through <= 1.0.43.
CVE-2025-49075
MEDIUM
CVE-2025-49075: WordPress Wishlist plugin <= 1.0.43 - Cross Site Scripting (XSS) vulnerability
CVSS base score
6.5/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Explanation of Vulnerability in Simple Terms
02Summary
Wishlist versions up to 1.0.43 contain a cross-site scripting (XSS) vulnerability that allows authenticated users to inject malicious scripts. An attacker with low-level access can craft a request that, when visited by another user, executes arbitrary JavaScript in their browser. This can lead to session hijacking, credential theft, or unauthorized actions on the site.
What an attacker can do
03Attacker Capabilities
Inject and execute malicious JavaScript in other users' browsers to steal data or perform actions on their behalf.
Potential impact on your site
04Site Impact
Authenticated users' sessions and data are at risk if they interact with content crafted by attackers with plugin access.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege account; victim must visit a page containing the attacker's malicious payload.
Key dates
06Disclosure timeline
June 6, 2025
CVE published
April 28, 2026
Record updated
External resources
07References
Related vulnerabilities
08Related CVE
CVE-2024-9386 Exclusive Divi – Divi Preloader, Modules for Divi & Extra Theme <= 1.4 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
CVE-2023-4951 Cross Site Scripting (XSS) Issue on "Client Based Authentication Policy Configuration" Screen
CVE-2023-28083 Potential Cross-Site scripting vulnerability in HPE Integrated Lights-Out 6 (iLO 6), Integrated Lights-Out 5 (iLO 5) and Integrated Lights-Out 4 (iLO 4).
CVE-2024-13245 CKEditor 4 LTS - WYSIWYG HTML editor - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-009
CVE-2025-22579 WordPress WP Header Notification plugin <= 1.2.7 - Cross Site Scripting (XSS) vulnerability
