CVE-2025-49890 — AI Deep Analysis Summary

🚨 **Essence**: Stored XSS in 'AWStats Script' plugin. 📉 **Consequences**: Malicious scripts persist on the site, hijacking user sessions, stealing cookies, or defacing pages. Critical integrity loss.

🛡️ **CWE-502**: Deserialization of Untrusted Data (Note: Description cites XSS, but CWE is listed as 502).…

👥 **Vendor**: ThemeREX. 📦 **Product**: Organic Beauty Theme & AWStats Script Plugin. 📅 **Version**: AWStats Script **0.3 and earlier**. WordPress core is also mentioned as part of the ecosystem.

💻 **Attacker Actions**: Execute arbitrary JavaScript in victims' browsers. 🕵️ **Impact**: Steal sensitive data (cookies/tokens), perform actions on behalf of users, or redirect traffic. Full UI compromise.

🔓 **Threshold**: LOW. 🚫 **Auth**: None required (PR:N). 🖱️ **UI**: None required (UI:N). 🌐 **Network**: Remote (AV:N). Easy to exploit for any unauthenticated user.

📜 **Public Exp**: No specific PoC provided in data. 🔍 **Status**: Listed in Patchstack DB. Wild exploitation likely possible due to low complexity and no auth requirement.

🔍 **Check**: Scan for 'AWStats Script' plugin version 0.3 or lower. 🧪 **Test**: Look for stored XSS vectors in stats input fields. Use DAST tools to detect reflected/stored script injection points.

🛠️ **Fix**: Update 'AWStats Script' plugin to version **>0.3**. 🔄 **Mitigation**: Remove the plugin if not needed. Check Patchstack for official patch notes.

🚧 **Workaround**: Disable the plugin immediately. 🛡️ **Defense**: Implement strict Input Validation/Output Encoding (WAF rules) to block script tags in user inputs. Monitor for suspicious script executions.

🔥 **Priority**: CRITICAL. 🚨 **CVSS**: 9.8 (High). ⚡ **Urgency**: Patch immediately. Remote, unauthenticated, high impact. Do not delay.