Platform
wordpress
Component
noindex-by-path
Fixed in
1.0.1
CVE-2025-49353 identifies a Cross-Site Request Forgery (CSRF) vulnerability within the Noindex by Path WordPress plugin. This flaw can be exploited to trigger Stored XSS attacks, potentially allowing attackers to inject malicious scripts into the website. The vulnerability affects versions from 0.0.0 through 1.0. A fix is available via plugin update.
The primary impact of CVE-2025-49353 is the potential for Stored Cross-Site Scripting (XSS). An attacker could leverage the CSRF vulnerability to craft malicious requests that, if successful, would inject arbitrary JavaScript code into the website's storage. This injected code could then be executed in the browsers of unsuspecting users visiting the affected pages. This could lead to account takeover, data theft (including sensitive user information), or defacement of the website. The stored nature of the XSS means the malicious script persists until removed, potentially impacting a large number of users over time.
Public proof-of-concept (POC) code for this vulnerability is likely to emerge given the ease of exploitation of CSRF and XSS vulnerabilities. The vulnerability was disclosed on 2025-12-31. Its inclusion in the WordPress ecosystem means it could be targeted by automated scanners and malicious actors. The severity is considered HIGH due to the potential for significant impact.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2025-49353 is to immediately update the Noindex by Path WordPress plugin to a version containing the fix. If updating is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the plugin's configuration pages using WordPress's role-based access control. Implement strict input validation and output encoding on all user-supplied data to reduce the attack surface. Monitor WordPress logs for suspicious activity, particularly requests originating from unusual sources or with unexpected parameters.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-49353 is a Cross-Site Request Forgery (CSRF) vulnerability in the Noindex by Path WordPress plugin that allows for Stored XSS attacks, potentially enabling malicious script injection.
If you are using the Noindex by Path WordPress plugin in versions 0.0.0 through 1.0, you are potentially affected by this vulnerability.
The recommended fix is to update the Noindex by Path WordPress plugin to a version containing the security patch. Check the plugin developer's website for the latest version.
While active exploitation is not yet confirmed, the ease of exploitation suggests it is likely to be targeted by malicious actors. Monitor your website for suspicious activity.
Refer to the plugin developer's website or the WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.